SSL for nrpe -> nsclient++

[operaciones]

Hi.

I´m facing an issue with check_nrpe and nsclient++ and we want to enable SSL communication.

I installed NSCP 0.5.2.35 in a Windows Server 2008 R2 x64 SP1.

I upgraded check_nrpe to version 3.2.1 following this doc https://support.nagios.com/kb/article.php?id=520 and this https://support.nagios.com/kb/article.php?id=515

Later, i created the certificates and keys following this doc https://support.nagios.com/kb/article.php?id=519 and copied the client certs to the server running nsclient++.

In the Windows Server i edited the nsclient.ini file to reference the certs path and to allowed ssl communication.

I execute the check_nrpe command in the nagiosxi server referencing the server paths and including the -H and the client IP (i deleted the client IP):
[root@nagiossrv ssl]# /usr/local/nagios/libexec/check_nrpe -H [client IP] -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem
I (0.5.2.35 2018-01-28) seem to be doing fine...
[root@nagiossrv ssl]

But the /var/log/messages says:

May 25 13:04:00 nagiossrv check_nrpe: Remote [client IP] does not support Version 3 Packets
May 25 13:04:10 nagiossrv check_nrpe: Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with [client IP]: rc=0 SSL-error=5

At nsclient.log in the Windows Server i see this message:
2018-05-25 13:02:28: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: [nagiosxi IP], count=1
2018-05-25 13:02:28: error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: peer did not return a certificate: 199

How could i configure this scenario to use SSL certificates for this command?

I attached the nsclient.ini where i deleted the nagiosxi server IP in the "allowed hosts" key and the "password" key.

Thanks in advance.

"Operaciones"

[tgriep]

When you connected to the Windows server using the check_nrpe command, this message was returned
(0.5.2.35 2018-01-28) seem to be doing fine...

That means that the plugin correctly connected to the remote Windows server, received the Version of NSClient++ and displayed it.

What is happening, the check_nrpe plugin is cycling through the different versions of SSL until it connects which causes the messages.

Using the -S option in the check_nrpe command should make the messages from getting logged.

-S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:
SSLv2 SSL v2 only
SSLv2+ SSL v2 or above
SSLv3 SSL v3 only
SSLv3+ SSL v3 or above
TLSv1 TLS v1 only
TLSv1+ TLS v1 or above (DEFAULT)
TLSv1.1 TLS v1.1 only
TLSv1.1+ TLS v1.1 or above
TLSv1.2 TLS v1.2 only
TLSv1.2+ TLS v1.2 or above

[operaciones]

First of all, thank you tgriep for your fast response.

I could avoid the message typing the command with the -S TLSv1.2 flag:

[root@nagiossrv ssl]# /usr/local/nagios/libexec/check_nrpe -S TLSv1.2 -H [Client IP] -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem
I (0.5.2.35 2018-01-28) seem to be doing fine...

Also, the logging in the client seems normal, the "peer did not return a certificate" is not present.

But in the /var/log/messages from the server, i´m still getting:
May 25 16:54:46 nagiossrv check_nrpe: Remote [Client IP] does not support Version 3 Packets

It´s possible to avoid this message? What it actually means?

Thanks in advance.

"operaciones"

[cdienger]

This kb describes the message along with solutions: https://support.nagios.com/kb/article/n ... s-786.html

[operaciones]

Hi.

If I execute the check_nrpe with -S TLSv1.2 and -2 flags, i don´t get any error messages in /var/log/messages.

I wonder what´s the difference between using Version 3 packets and Version 2. I couldn´t find any kb of this.

My goal is to monitor this server by executing a remote program in the server. If i use Version 2 packets could i execute this remote program in the server?

Thanks.

[cdienger]

https://support.nagios.com/kb/article.php?id=516 mentions the improvements. The improvements being increased SSL security and packet sizes. NSCP(NSClient++) doesn't appear to fully support v3 however : https://github.com/mickem/nscp/issues/440 https://support.nagios.com/kb/article.php?id=516

[operaciones]

Would you clarify this point of the kb you sent (https://support.nagios.com/kb/article.php?id=516)?

NRPE v3 has two major improvements over previous versions:
Increased SSL security
Certificates can be used for security

Because i thought that i could use certificates for security (is my goal in this scenario) but as far as i understand of the previous sentence, NRPE V3 introduced the "Certificates for security". And i´m using -2 flag to send only v2 packets. I´m afraid that sending v2 packets doesn´t use certificates for security.

My goal is to monitor the server using a remote command and using certificates.

Thank you.

[cdienger]

NRPEv2 does offer some security and encryption, but it is lacking(https://github.com/NagiosEnterprises/nr ... DME.SSL.md). NSCLient++, being a third party solution, doesn't give us much control over its support for NRPE, however it looks like NRPEv3 is partially supported and the error is due to the dynamic payloads(https://github.com/mickem/nscp/issues/440). The options appear to be 1. use v2 with decreased security, or 2. use v3 with increased security and ignore the warning message.

[operaciones]

I could set the check command for my server with TLS1.2 and version 2.

It's working fine.

Thank you for your help.

Regards.

[scottwilkerson]

Glad to hear it is resolved!

Locking