SSL/TLS_ENCRYPTION

[yybadrou]

Hi,

I am monitoring a set of equipments with NAGIOS XI and NCPA Agent.
The thing I liked a lot ABOUT NCPA is the deployment of SSL/TLS encryption. However I really would like to know how the communication is performed (packets level). Which protocols are used and how the checks are performed ?

My questions are as follow :
- Using Wireshark, How can I decrypt those SSL sessions between Nagios Server and one of my Supervised host (Client)? what do I need ( private key or certificate or both or ....)
- What is the exact Client directory (Ubunto host) can I find these information to upload into Wireshark in order to have decrypted data to read ? I know that all SSL information are stored in /etc/ssl directory, but I wanna know exactly where inside this directory.

Any help !! I would appreciate.

Thank you

[jbrunkow]

I believe the certificate that NCPA uses is in the following directory.

Code: Select all

/usr/local/ncpa/var/ncpa.crt

If you can't find it in that location, you could search for it using find.

Code: Select all

sudo find / -name *.crt

You can decrypt an SSl/TLS connection with an RSA key or key log file.
Wireshark supports TLS decryption when appropriate secrets are provided. The two available methods are:

• Key log file using per-session secrets (#Using_the_.28Pre.29-Master-Secret).
  Decryption using an RSA private key.

Wireshark TLS

[yybadrou]

Hi,

Thank you for your answer,
But where can I find the keylogfile on my linux client.

Thank you

[jbrunkow]

I don't know if such a thing exists on our systems. You could try the following commands to see if that helps you locate it.

Code: Select all

sudo find / -name "*.crt"
sudo find / -name "*keylogfile*"

It could be one of the following files.

Code: Select all

/usr/local/nagiosxi/var/certs/nagiosxi.key
/usr/local/nagiosxi/var/keys/xi.key
/var/log/sssd/sssd.log