nagios/nrpe 3.2.0 does not support ECDHE?

[rcjacobson]

I'm trying to setup my NRPE server (v. 3.2.0) with TLS. openssl version on the system is 1.0.1e. Platform is RHEL6.9. The key is 2048-bit RSA. NRPE is running as a standalone service (i.e. not via xinetd).

Code: Select all

# grep ^ssl /etc/nagios/nrpe.cfg
ssl_version=TLSv1.2
ssl_cipher_list=EECDH+AESGCM
ssl_cacert_file=/etc/nagios/ssl/ca-chain.cert.pem
ssl_cert_file=/etc/nagios/ssl/nrpe.crt
ssl_privatekey_file=/etc/nagios/ssl/nrpe.key
ssl_logging=0x01

With the settings above, check_nrpe will not successfully negotiate an SSL handshake. In addition, both nmap and sslscan report NO ciphers supported for the connection. I will note that EECDH+AESGCM works perfectly in Apache; the supported ciphers for Apache (also using an RSA key) end up being:

Code: Select all

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256

So, then I changed ssl_cipher_list to "AESGCM:!ADH". SSL now works, but the ciphers do NOT include ECDHE, only these:

Code: Select all

    Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-GCM-SHA256

I also tried completely removing the "ssl_cipher_list" specification, but with that config there are still no ECDHE ciphers in the list.

I don't understand why ECDHE isn't offered by NRPE? Can someone enlighten me?

[scottwilkerson]

This sounds more like a feature request for NRPE, please feel free to make the request at the NRPE open source project site, or better yet, feel free to provide a pull request with the desired changes.

https://github.com/NagiosEnterprises/nrpe

[erichymowitz]

Hi, Scott.

I'm not sure I understand why this would be a "feature request".

This link https://support.nagios.com/forum/viewto ... 16&t=41448 says things like

Nagios and NRPE both depend on the base system encryption tools

NRPE is going to use the SSL cert it's configured to use.

So if openssl supports ECDHE

Code: Select all

# openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA: [lots more]

then why wouldn't NRPE ?

[scottwilkerson]

I'm not sure I understand why this would be a "feature request".

Sorry, that came out of my fingers wrong, lets call it an issue
https://github.com/NagiosEnterprises/nrpe/issues

[rcjacobson]

I did a bit more testing.

After compiling/installing openssl 1.1.0h, and then recompiling NRPE 3.2.1, I found that ECDHE ciphers are now working.

In other words, for some reason NRPE requires OpenSSL 1.1+ for ECDHE ciphers to work.

I'm going to go out on a limb and guess that there's a conditional in the code that's not quite right. There's no technical reason (that I'm aware of) that ECDHE ciphers should not work using openssl 1.0.1e.

I will submit this as an issue. Thanks.

[scottwilkerson]

I will submit this as an issue. Thanks.

Thanks, and glad to hear at least it is working with 1.1+