about the "dh key too small" error

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
racheltravis
Posts: 1
Joined: Wed Oct 14, 2020 5:42 am

about the "dh key too small" error

Post by racheltravis »

Hi all,

Could anyone advise me on how to fix this problem? I have obtained quite a lot of information from my configuration but am now running out of ideas for a solution. All systems are Unix. Mostly Linux with a few Solaris. I have two Nagios servers: A long standing system running SLC6 (a variant of Centos 6) and a new one running Centos 8. Both are running nrpe-plugins vers. 4.0.3 and both use check_nrpe to check clients.

I have a large set of clients running the nrpe daemon. Mostly they run SLC6 and Centos 7 and both Nagios servers can access them using check_nrpe. There are a few older clients, running SLC5 (a variant of Centos 5) and some old Solaris boxes. The SLC6 server can access their clients but the new Centos 8 one's check_nrpe probes fail with the above error -- this is despite both servers running the same version of check_nrpe (4.0.3).

My suspicions turned to the openssl configuration on the Centos 8 server so I changed its system wide crypto policy in /etc/crypto-policies/config from DEFAULT to LEGACY and ran 'update-crypto-policies --set' and rebooted to update the back-ends but it made no difference. Centos8 has openssl-1.1.1c and SLC6 has openssl-1.0.1e.

I tried running,

Code: Select all

/usr/lib64/nagios/plugins/check_nrpe --ssl-logging=-1 -H slc5-system-client-hostname -c check_load
on both servers. On the SLC6 server the logs report,

Code: Select all

Aug 28 18:29:10 slc6-server check_nrpe: SSL Certificate File: None
Aug 28 18:29:10 slc6-server check_nrpe: SSL Private Key File: None
Aug 28 18:29:10 slc6-server check_nrpe: SSL CA Certificate File: None
Aug 28 18:29:10 slc6-server check_nrpe: SSL Cipher List: ALL:!MD5:@STRENGTH
Aug 28 18:29:10 slc6-server check_nrpe: SSL Allow ADH: 1
Aug 28 18:29:10 slc6-server check_nrpe: SSL Log Options: 0xffffffff
Aug 28 18:29:10 slc6-server check_nrpe: SSL Version: TLSv1_plus And Above
Aug 28 18:29:10 slc6-server check_nrpe: Connected to XXX.XXX.XXX.XXX
Aug 28 18:29:10 slc6-server check_nrpe: Remote XXX.XXX.XXX.XXX - SSL Version: TLSv1
Aug 28 18:29:10 slc6-server check_nrpe: Remote XXX.XXX.XXX.XXX - TLSv1/SSLv3, Cipher is ADH-AES256-SHA
Aug 28 18:29:10 slc6-server check_nrpe: SSL Did not get certificate from XXX.XXX.XXX.XXX
Aug 28 18:29:10 slc6-server check_nrpe: Remote XXX.XXX.XXX.XXX accepted a version 2 packet
On the Centos 8 server I get,

Code: Select all

Aug 28 18:32:25 centos8-server check_nrpe: SSL Certificate File: None
Aug 28 18:32:25 centos8-server check_nrpe: SSL Private Key File: None
Aug 28 18:32:25 centos8-server check_nrpe: SSL CA Certificate File: None
Aug 28 18:32:25 centos8-server check_nrpe: SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0
Aug 28 18:32:25 centos8-server check_nrpe: SSL Allow ADH: 1
Aug 28 18:32:25 centos8-server check_nrpe: SSL Log Options: 0xffffffff
Aug 28 18:32:25 centos8-server check_nrpe: SSL Version: TLSv1_plus And Above
Aug 28 18:32:25 centos8-server check_nrpe: Connected to XXX.XXX.XXX.XXX
Aug 28 18:32:25 centos8-server check_nrpe: Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with XXX.XXX.XXX.XXX: dh key too small
I also tried watching the network traffic between the servers and clients with wireshark using 'tshark -d tcp.port==5666,ssl'. For the SLC6 server the difference it shows between the problem/older clients and the others is with the newer clients TLSv1.2 protocol is being used whereas the older clients use TLSv1.

Suspecting the older clients might actually only be accepting a 512 byte DH key I tried hacking the check_nrpe source code, which creates 2048 byte key by default, to force it to create a 512byte one. However it made no difference. This was not altogether unexpected since the SLC6 server's check_nrpe also creates a 2048byte key but I though it worth a try.

I tried various other random things on the Centos8 server check_nrpe command line but w/o success; including
'-2' and '-3' for the older nrpe packet types, stipulating various SSL protocols, '--ssl-version=TLSv1', '--ssl-version=TLSv1+', '--ssl-version=SSLv3+' and various incantations of cipher list, eg. '--cipher-list='DEFAULT:!DH'. Incidently trying the '--ssl-version=SSLv3+' on the older SLC6 server also fails with the same SSL handshake error -- I expect because SSLv3 protocol is rightly also disabled there for security reasons.

I particularly don't want to have to tamper with/upgrade the older clients nrpe daemons, particularly not the Solaris systems but some time back I did try temporarily turning off SSL on one SLC5's client's nrpe daemon and using 'check_nrpe -n' on the Centos 8 server which did work.

Instead I really want to get the Centos 8 server (a dev-system which is intended to replace the SLC6 server) to work with the clients as the SLC6 server does.

As mentioned above, I am running out of ideas for things to try.

Any thoughts?

Best regards.
Top
Locked

Return to “Open Source Nagios Projects”