TLS mitigation

[ge321]

As part of a company wide project to get every web server up to TLS v1.2 (or newer) I've been given an old Nagios XI instance. This instance is a virtual appliance type and the web interface reports the version as 2014R2.3. The underlying CentOS version, 6.4, doesn't support TLS v1.2 although CentOS 6 did eventually support it. What are my options here for getting newer TLS support? I'd prefer not to spin up a whole new instance if I can (for reasons), but if that's the only supported option then I need to know that so I can pass it up to management for decisions. Thanks.

[dchurch]

What do you mean that CentOS doesn't "support" TLS 1.2? The HTTPS server doesn't support connecting using TLS 1.2, or the SSL client on the machine doesn't support connecting to TLS 1.2 servers?

We don't officially support CentOS 6. Being that as it may, I can possibly help you update OpenSSL and Apache to newer versions.

I just spun up a CentOS 6.1 install and it appeared have a new enough openssl version to support TLS 1.2:

Code: Select all

# rpm -qa |grep openssl
openssl-1.0.1e-57.el6.x86_64
# openssl s_client -connect www.nagios.com:443 -tls1_2 </dev/null >/dev/null
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.nagios.com
verify return:1
DONE

To help diagnose, please run these command and post the entire output:

Code: Select all

grep -ir proto /etc/httpd/
rpm -qa |grep openssl
openssl s_client -connect www.nagios.com:443 -tls1_2 </dev/null >/dev/null

[ge321]

I realize now that I wasn't as clear as I should have been. I also started looking in more depth at the specifics of this system. From RedHat's KB it looks like RHEL/CentOS 6 shipped with OpenSSL 1.0.0 from 6.0 to 6.4. In 6.5 they rebased to 1.0.1e. This particular system has openssl-1.0.1e-16.el6_5.7.x86_64 installed which suggests it got some updates either when it was packaged into an OVF or not long after someone deployed it here (long before my time in this environment) although still pretty far in the past. That said, I've verified that 1.0.1e-16 does support TLS v1.2. So where my problem lies is apparently with mod_ssl. The installed package is mod_ssl-2.2.15-28.el6.centos.x86_64 which doesn't recognize keywords TLSv1.1 or TLSv1.2 for the SSLProtocol directive. Our compliance scanning tool flags this as a problem because it allows a client to potentially negotiate something less than TLSv1.2.

So the more correct question I should be asking is can httpd and/or just mod_ssl be upgraded to something from a later version of Centos 6 without breaking the Nagios components above it?

[dchurch]

I don't see why not. Both mod_ssl and httpd should be able to be upgraded and not break anything in Nagios XI. AFAIK Nagios XI doesn't depend directly on anything in those packages except as a web server; it's possible to run Nagios XI using nginx and completely uninstall apache.

My CentOS 6.1 install's openssl version (1.0.1e) definitely does support TLS 1.2 as shown in the code snippets above, so that package shouldn't need to be upgraded.

[dchurch]

Just checking in since we haven't heard from you in a while. Did that solve your problem?