Dear Community,
we are trying to set up a local Nagios System.
For testing purpose we want to use Wireshark to sniff out the network traffic that is produced by Nagios Core communicating with NCPA installed on several hosts. Therefore we have installed Wireshark and things looked great at first. However we are running into SSL encrypted payloads in the communication between Core and Host.
As consequence we are trying to disable SSL on the NCPA Client.
Setting ssl_version = none in the ncpa.cfg does not seem to be possible as the system falls back to its default value which is TLSv1.
Is there a(nother) way to see unencrypted communication or to disable SSL?
Kind regards
qupeDave
Disable SSL/TLS on NCPA Client
Re: Disable SSL/TLS on NCPA Client
Unfortunately, it is not possible to completely disable SSL in NCPA.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Disable SSL/TLS on NCPA Client
Hi lmiltchev,
thank you very much for your quick answer. I really appreciate your help.
What do you mean by 'completely'? Is it possible to weaken encryption?
Maybe there is a directive to disable Diffie-Hellman key-exchange or so? As far as I have read, there is a way to share the server's private key with Wireshark in order to enable it to auto-decrypt packages. However, if Diffie Hellman is used this does not work.
Best wishes,
qupeDave
thank you very much for your quick answer. I really appreciate your help.
What do you mean by 'completely'? Is it possible to weaken encryption?
Maybe there is a directive to disable Diffie-Hellman key-exchange or so? As far as I have read, there is a way to share the server's private key with Wireshark in order to enable it to auto-decrypt packages. However, if Diffie Hellman is used this does not work.
Best wishes,
qupeDave
Re: Disable SSL/TLS on NCPA Client
I meant that even if you set sss_version to "none", the system would use TLSv1 as you already found out.What do you mean by 'completely'? Is it possible to weaken encryption?
I am not aware of any such directive. You can't change the encryption type besides from the different TLS versions.Maybe there is a directive to disable Diffie-Hellman key-exchange or so?
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Disable SSL/TLS on NCPA Client
Okay. Thats disappointing news. That means we'd to actually implement a man in the middle attack on the encryption in order to override it, or act like a second Nagios-Core in order to query the NCPA clients from there. Both ways seem to be rather complicated on the technological side. Do you have an idea of how to get the performance data out of Nagios? As far as I have seen, the plugin-landscape for RESTful APIs for Nagios-Core seems a little underwhelming. On top, the ideal solution for my problem would be one, that does not touch the existing Nagios-Core installation.
Re: Disable SSL/TLS on NCPA Client
What is your main objective - how to get the performance data out of Nagios? I know, you said:
http://docs.pnp4nagios.org/start
but have you considered using something like pnp4nagios?On top, the ideal solution for my problem would be one, that does not touch the existing Nagios-Core installation.
http://docs.pnp4nagios.org/start
Be sure to check out our Knowledgebase for helpful articles and solutions!