nrpe and "Insecure SSL chiphers (DH512 Bit)" cause failed co

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
grolms
Posts: 2
Joined: Fri Sep 25, 2015 2:04 am

nrpe and "Insecure SSL chiphers (DH512 Bit)" cause failed co

Post by grolms »

Hi,

I am using check_nrpe command from version nrpe-2.15 together
with Ubuntu Linux 14 together with NSclient++ (version NSCP-0.4.3.143-x64.msi)

Because the in openssl on ubuntu the length of DH Parameters must be > 768 Bits
(See https://wiki.ubuntu.com/SecurityTeam/Kn ... ase/LogJam for example)
this configuration stopped working, because nrpe-2.15 and NSCP-0.4.3.143-x64.msi use DH parameters
of lenght 512 Bits.

To fix my problems

1. I changed on NSclient++ the File security\nrpe_dh_512.pem to a 1024 Bit Version using "openssl dhparam -C 1024"

2. I changed in sourcetree of nrpe-2.15 File check_nrpe.c to make use of the cipher the command "openssl s_client" did in testconnection handshake.

//SSL_CTX_set_cipher_list(ctx,"ADH");
SSL_CTX_set_cipher_list(ctx,"DHE-RSA-AES256-GCM-SHA384");

and got a working setup:

unilab@sattelit01:~/nrpe_plugin/nrpe-2.15/src$ ./check_nrpe -H 10.100.1.21
I (0.4.3.143 2015-04-29) seem to be doing fine...


Question: I think there is a general need to reflect the "disable insecure ciphers in SSL libraries"
to the nrpe-client and server by using "secure" ciphers or making the choosing of used ciphers
more configureable.

Can this be done in upstream?

Best Regards,
Achim
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: nrpe and "Insecure SSL chiphers (DH512 Bit)" cause faile

Post by hsmith »

Hi Achim,

I suggest you submit your findings here. I can do it if you don't want to, just let me know! I figured it may be easier for you since you went through the work and troubleshooting and produced a positive result.
Former Nagios Employee.
me.
grolms
Posts: 2
Joined: Fri Sep 25, 2015 2:04 am

Re: nrpe and "Insecure SSL chiphers (DH512 Bit)" cause faile

Post by grolms »

User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: nrpe and "Insecure SSL chiphers (DH512 Bit)" cause faile

Post by hsmith »

Thank you for doing that :)
Former Nagios Employee.
me.
Locked