Issue connecting to agent on Mac OS

[pturner75]

I have a new install, and am trying to deploy the agent to Mac OS system. The agent will deploy, but when I try to run the wizard, it gives a "Could not connect to host" error. When I run the check_ncpa.py command from the CLI, with the correct IP and token, I get
UNKNOWN: An error occured connecting to API. (Connection error: '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1131)')

I have several other devices being monitored and they are fine. The issue is when I try to add an agent to a Mac system.

Linux Distribution and version? Ubuntu 20.04.3
32 or 64bit? 64 bit
VMware Image or Manual Install of XI? Manual install
Are there special configurations on your system, ie;
is Gnome installed? No
Are you using a proxy? No
Are you using SSL? no

On Nagios server:
root@nagios:/usr/local/nagios/libexec# ./check_ncpa.py -H 10.2.95.250 -t <token redacted> --list
UNKNOWN: An error occured connecting to API. (Connection error: '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1131)')

On target server:
deviceconnect@Alpha-3 log % ps -ef |grep ncpa
502 65046 1 0 8:27AM ?? 0:00.46 /usr/local/ncpa/ncpa_passive -n
502 65112 1 0 8:27AM ?? 0:00.46 /usr/local/ncpa/ncpa_listener -n

NCPA plugin version is 2.3.1 (latest)
Verified the tokens match between server and target.
Target is running Mac Big Sur 11.2.3

[kfanselow]

Hi pturner75,

The first thing thing to do is double check the firewall on your Mac system and ensure that access to port 5693 is allowed from your Nagios XI server.

https://support.apple.com/guide/mac-hel ... 0/mac/11.0

Second, using telnet, could you verify that you're able to establish a socket connection on port 5693 from your XI server ?

Code: Select all

 telnet MAC-IP-ADDRESS 5693 

The string "Escape character is '^]'." indicates that you were able to successfully establish a socket connection.

If you are able to establish a socket connection try connecting from the XI server using curl:

Code: Select all

 curl -ik https://MAC-IP-ADDRESS:5693 

You should see a 302 redirect message.

After these tests please send the following files from your Mac system to me via PM and we can take a look:

Code: Select all

/usr/local/ncpa/var/log/ncpa_listener.log
/usr/local/ncpa/etc/ncpa.cfg

Thanks and Best Regards,
Keith

[pturner75]

Firewall is verified as being off. Screenshot of firewall, log, and config attached.

Connection attempts from the Nagios server itself:
phil@nagios:~$ telnet 10.2.95.250 5693
Trying 10.2.95.250...
Connected to 10.2.95.250.
Escape character is '^]'.
^]

telnet> q
Connection closed.
phil@nagios:~$ curl -ik https://10.2.95.250:5693
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
phil@nagios:~$

[pturner75]

Unable to send files as PM
"We are sorry, but you are not authorised to use this feature. You may have just registered here and may need to participate more to be able to use this feature."

[pturner75]

If I try to connect from another Mac system through the web browser with https://10.2.95.250:5693/testconnect/?token=<token redacted> . I get the expected Success message

{
"value": "Success."
}

So the listener is running and accepting connections, it just can't connect from the Nagios server.

[pturner75]

From Nagios server:
phil@nagios:/usr/local/nagiosxi/var$ curl -vik https://10.2.95.250:5693/api/system/age ... ken=<token redacted>
* Trying 10.2.95.250:5693...
* TCP_NODELAY set
* Connected to 10.2.95.250 (10.2.95.250) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

And connecting to the gui interface on the client at 10.2.95.250 using https://10.2.95.250:5693/gui/admin
I can see that SSL is TLSv1.2. It looks like it's a TLS mismatch the the server isn't stepping down to TLSv1.2

[pturner75]

Found the root cause. Nagios server is apparently enforcing the TLS version. I created a file called 'openssl_allow_tls1.0.cnf" in my home directory and put the following in it.

Code: Select all

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

I then ran

Code: Select all

export OPENSSL_CONF=~/openssl_allow_tls1.0.cnf

Running curl -ik https://10.2.95.250:5693
I then received the expected 302 redirect response.

Code: Select all

HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 219
Location: https://10.2.95.250:5693/login
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Set-Cookie: session=eyJyZWRpcmVjdCI6Imh0dHBzOi8vMTAuMi45NS4yNTA6NTY5My8ifQ.FGK_Vw.7tbyB9TF2fw1Bgf3hRZAePkNtE0; Secure; HttpOnly; Path=/
Date: Tue, 02 Nov 2021 12:23:51 GMT

[pturner75]

Functioning workaround/fix is as follows

On the Nagios Server: (Ubuntu 20.04 server)
Edit /etc/ssl/openssl.cnf
Add the following at the top of the file:

Code: Select all

openssl_conf = openssl_init

Add the following at the end of the file:

Code: Select all

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

Save the file and reboot the server.

I'm now able to access the NCPA plugin on the Mac systems.

It looks like TLS is falling back to 1.0 when trying to connect, which was deprecated out in Ubuntu 20.04.
When I made the testing changes I detailed in a previous post, curl -v showed the following info

Code: Select all

phil@nagios:~$ curl  -vik https://10.2.95.250:5693
*   Trying 10.2.95.250:5693...
* TCP_NODELAY set
* Connected to 10.2.95.250 (10.2.95.250) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Minnesota; L=St. Paul; O=Nagios Enterprises, LLC; OU=Development; CN=Alpha-3.local
*  start date: Nov  1 12:27:34 2021 GMT
*  expire date: Oct 30 12:27:34 2031 GMT

[kfanselow]

Hi pturner75,

I'm sorry for the latency in our reply but excellent job diagnosing the problem. We've started to see a number of cases where TLS 1.0 and TLS 1.1 are being deprecated by providers. I will add this information to our internal discussion on the subject. Thanks !!!

Thanks and Best Regards,
Keith