TLSv1.0 Protocol Detected on 443/tcp on Nagios XI server

[xlin125]

We have Nagios XI 5.2.3 on RHEL 6.10, and the Nagios XI web interface uses port 8085/tcp. In addition, SSL for Apache server is disabled. Recently, a security/network scan to this Nagios XI server found that TLS Version 1.0 Protocol was detected on port 443, meaning the connection using TLS 1.0 protocol on port 443 to this server is accepted. Note that connection using TLS 1.0 protocol on port 8085 to this server is rejected. This seems that another ssl is detected and caused this high security vulnerability, not ssl for Apache server (ssl for Apache is already disabled). If the SSL for Nagios XI is enabled, how to disable TLSv1.0 and TLSv1.1 for Nagios XI and which Nagios XI/Nagios configuration file(s) need to updated to disable TLSv1.0 and TLSv1.1? Thanks!

[jdunitz]

Really, because Cent6 is no longer supported, either by them or by us, this is a good reason to upgrade.

You can still get the 5.2.3 installer, and build a new system based on Cent7, which will still be supported for a few years:
wget https://assets.nagios.com/downloads/nag ... 2.3.tar.gz


Here are the instructions for doing an OS-and-XI migration using backup and restore:
===

The easiest way to do this is with two machines.

1) back up your old machine, and save the backup files on a third machine somewhere (another
​ server, your desktop PC, etc.).
1a) shut down the old machine, or at least change its IP address and
disable the monitoring engine
2) build the new machine with Cent7/RHEL7 or whatever you like, with the same IP address
3) install the same version of XI on your new machine--this is important; they have to be the
​ same version of XI on both!
4) restore your backup to the newly-installed machine
4a) upgrade XI to the latest version, if desired
5) enjoy

This document should be helpful:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf



It is also possible to simply upgrade the OS in-place on the same machine in the usual way
(e.g., boot from a Cent7 ISO and install the OS from scratch), then install the same version of
​ XI, restore your backup, then upgrade XI to the new version.



After installing the new OS, installing the old version of XI, and restoring your backup,
​you can upgrade XI by downloading the latest package:

cd /root
wget https://assets.nagios.com/downloads/nag ... 7.5.tar.gz # for 5.7.5
wget https://assets.nagios.com/downloads/nag ... 8.1.tar.gz # or for 5.8

and do the upgrade:
rm -rf /root/nagiosxi /tmp/nagiosxi
tar -xzf xi-5.8.1.tar.gz
cd nagiosxi
./upgrade


Let me know if you have more questions.

--Jeffrey

[xlin125]

@ jdunitz, thanks for the response!

We will upgrade the RHEL 6.10 to RHEL 7.x and then install a newer version of Nagios XI in the future. But for this moment, we need a solution to immediately address this vulnerability detected by security scan. Last year, we resolved the similar vulnerability for TLS 1.0 protocol on port 5666/TCP on a Nagios NRPE agent by adding "ssl_version=TLSv1.2+" to the nrpe.cfg file. Is it possible that the "ssl_version=TLSv1.2+" can be added to some Nagios/Nagios xi configuration file(s) to address the same issue? Thanks!

[dchurch]

Mozilla has published an SSL config generator that will help you write your Apache configs: https://mozilla.github.io/server-side-t ... generator/

Apache has a good document on how to set your server's SSL protocol and cipher suite negotiation settings for maximum security: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

A good utility to test how secure your SSL certificate, and show device compatibility, is here: https://www.ssllabs.com/ssltest/