I'm trying to setup my NRPE server (v. 3.2.0) with TLS. openssl version on the system is 1.0.1e. Platform is RHEL6.9. The key is 2048-bit RSA. NRPE is running as a standalone service (i.e. not via xinetd).
Code: Select all
# grep ^ssl /etc/nagios/nrpe.cfg
ssl_version=TLSv1.2
ssl_cipher_list=EECDH+AESGCM
ssl_cacert_file=/etc/nagios/ssl/ca-chain.cert.pem
ssl_cert_file=/etc/nagios/ssl/nrpe.crt
ssl_privatekey_file=/etc/nagios/ssl/nrpe.key
ssl_logging=0x01
With the settings above, check_nrpe will not successfully negotiate an SSL handshake. In addition, both nmap and sslscan report NO ciphers supported for the connection. I will note that EECDH+AESGCM works perfectly in Apache; the supported ciphers for Apache (also using an RSA key) end up being:
Code: Select all
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
So, then I changed ssl_cipher_list to "AESGCM:!ADH". SSL now works, but the ciphers do NOT include ECDHE, only these:
Code: Select all
Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits AES256-GCM-SHA384
Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-GCM-SHA256
I also tried completely removing the "ssl_cipher_list" specification, but with that config there are still no ECDHE ciphers in the list.
I don't understand why ECDHE isn't offered by NRPE? Can someone enlighten me?