TLS with hardcoded ciphers not working

[sib]

Hi

I am running v5.6.6 also nrpe. We currently try to hardcode the ssl_cipher_list but with that specified I cannot connect

Code: Select all

Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Certificate File: None
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Private Key File: None
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL CA Certificate File: None
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Allow ADH: 0
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Client Certs: Don't Ask
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Log Options: 0x01
Oct  8 16:51:49 lbnss1349 nrpe[11224]: SSL Version: TLSv1_2 And Above
Oct  8 16:51:49 lbnss1349 nrpe[11224]: Error: (!log_opts) Could not complete SSL handshake with : 

Code: Select all

# openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5

Code: Select all

ssl_logging=1
ssl_version=TLSv1.2+
ssl_cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256

Operating System: RHEL 7.6
openssl-1.0.2k-19.el7.x86_64

[ssax]

Please send the full /usr/local/nagios/libexec/check_nrpe command you are using (with all the arguments).

What version of NRPE on the XI server?

/usr/local/nagios/libexec/check_nrpe -V

What about the other remote end (NRPE agent)?

Code: Select all

/usr/local/nagios/libexec/check_nrpe -V

Was this the guide you are following?

Code: Select all

https://support.nagios.com/kb/article/nrpe-v3-enhanced-security-519.html

[sib]

Hi

Code: Select all

# /usr/local/nagios/libexec/check_nrpe -V
NRPE Plugin for Nagios
Version: 3.2.1

Code: Select all

# /usr/local/nagios/libexec/check_nrpe -H lbnss1349   
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.55.65.120: 

I was not following a documentation but added the configs on the client side nrpe.cfg (See first post)

This might be of interest

Code: Select all

Oct  9 13:13:16 lbnss1349 nrpe[31311]: Error: (ERR_get_error_line_data = 336109761), Could not complete SSL handshake with : no shared cipher
Oct  9 13:13:16 lbnss1349 nrpe[31311]: Error: This could be because you have not specified certificate or ca-certificate files

[mbellerue]

That is pretty interesting. Is the CA certificate on the Nagios server? Can you use the --ca-cert-file= switch in your check_nrpe command to point to the CA cert?

[sib]

I did also try to use our certificates

Code: Select all

# /usr/local/nagios/libexec/check_nrpe -A /etc/pki/ca-trust/source/anchors/BIS-bundle.pem -C /etc/pki/tls/certs/nagios.bisinfo.org.cer -K /etc/pki/tls/private/nagios.pem -H lbnss1349
CHECK_NRPE: Error - Could not connect to 10.55.65.120: Connection reset by peer

I get the following

Code: Select all

Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Certificate File: None
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Private Key File: None
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL CA Certificate File: None
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Allow ADH: 0
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Client Certs: Require
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Log Options: 0xff
Oct 10 08:25:32 lbnss1349 nrpe[11963]: SSL Version: TLSv1_2 And Above
Oct 10 08:25:32 lbnss1349 nrpe[11963]: Error: could not use CA certificate '(null)'

I also set

Code: Select all

ssl_client_certs=2

The certificate should be valid

Code: Select all

# openssl rsa -modulus -noout -in /etc/pki/tls/private/nagios.pem | openssl md5                                 
(stdin)= 4ab750edb6f74fc87b43b3214b6ea37d

# openssl x509 -modulus -noout -in /etc/pki/tls/certs/nagios.bisinfo.org.cer | openssl md5    
(stdin)= 4ab750edb6f74fc87b43b3214b6ea37d

# openssl verify -verbose -CAfile /etc/pki/ca-trust/source/anchors/BIS-bundle.pem /etc/pki/tls/certs/nagios.bisinfo.org.cer             
/etc/pki/tls/certs/nagios.bisinfo.org.cer: OK

[cdienger]

I think it's an issue with specific ciphers. I'm able to get similar results and looking into it, but would like you to try setting the cipher list on the client like below:

Code: Select all

ssl_cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ADH-AES128-SHA256

[sib]

This works. Unfortunatelly we are forced to use one of the following ciphers

Code: Select all

            TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
            TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
            TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

[cdienger]

It looks like you're running into:

https://github.com/NagiosEnterprises/nrpe/issues/179

A work around would be to install openssl 1.1+ and rebuild the agent.

[sib]

I have seen that but unfortunately it is not a no option for us. We have to stick to the official releases you or Red Hat provide. There is no reason why it should not work given that the ECDSA ciphers are existing in the current openssl version.

best
Chris

[cdienger]

I've pinged our dev team regarding this. I also ask that you make a comment on the github page for this issue.