NagiosXI and Tenable - TLS1.0 Question

[lveitch]

Hi everyone,

So I have a question that I cant quite find an answer for. So Tenable is saying that TLS1.0 is enabled on my NagiosXI server (running on Ubuntu 24).

I can confirm that Ubuntu 24 has TLS 1.0 disabled by default https://ubuntu.com/blog/whats-new-in-se ... -24-04-lts

So I followed the procedure for Nagios to ensure it was disabled there (mine was in /etc/apache2/mods-available/ssl.conf as I dont have an /etc/https folder) https://support.nagios.com/kb/article/d ... rotection.

Even after a reboot and a fresh Tenable scan, it says that my NagiosXI server still has TLS1.0 enabled and to disable it. I can confirm that if I do run the following command that it connects so it appears that modifying the Apache file makes no affect on connection to the system

Code: Select all

openssl s_client -tls1 -connect <ip_address or servername>:443

Are there other places that I need to change or look for TLS settings that I am not aware of?

[jsimon]

Hi @lveitch,

Could you provide a copy of your ssl.conf file for review? You can attach the file to your post, copy the whole thing into a post directly, or send it to me directly in a DM. This will help us make sure you've modified the file correctly.

[lveitch]

Sure can

Code: Select all

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#   (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache    dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
#   (Disabled by default, the global Mutex directive consolidates by default
#   this)
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate. See the
#   ciphers(1) man page from the openssl package for list of all available
#   options.
#   Enable only secure ciphers:
#SSLCipherSuite HIGH:!aNULL
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES

# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption.  You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
SSLHonorCipherOrder On

#   The protocols to enable.
#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
#   SSL v2  is no longer supported
#SSLProtocol all -SSLv3
#SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3

#   Allow insecure renegotiation with clients which do not yet support the
#   secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on

#   Whether to forbid non-SNI clients to access name based virtual hosts.
#   Default: Off
#SSLStrictSNIVHostCheck On

# Warning: Session Tickets require regular reloading of the server!
# Make sure you do this (e.g. via logrotate) before changing this setting!
SSLSessionTickets off

[lveitch]

From everything I have read and found, everything looks fine. Just not sure what exactly I am missing. I have tried probably 50 permutations of the settings in the SSL file with no luck.

[jmichaelson]

There may be an SSLProtocol line in other bits of the Apache config that are being loaded and overriding this one. See this Serverfault post https://serverfault.com/questions/84817 ... -in-apache

In reading the mod_ssl docs from apache, https://httpd.apache.org/docs/2.4/mod/m ... slprotocol, I'm not entirely sure that all should be there. If TLS 1.2 and 1.3 are the only versions acceptab;e in your environment, I'd try

Code: Select all

SSLProtocol +TLSv1.2 +TLSv1.3

and explicitly whitelist the acceptable versions

[lveitch]

Sorry for my super late response; other things came up and I had to put this on the back burner. I will give that a try and re-run my Tenable scan and see if that does the trick. I will respond with and update once everything is done

[lveitch]

Okay I got it...so my new Tenable scan came back with port 25 (SMTP). Even though I never explicitly installed it or set it up, its a part of the NagiosXI install for Ubuntu. It installs postfix by default.

I found it by checking my services

Code: Select all

service --status-all

and I saw postfix was running. I then edited

Code: Select all

/etc/postfix/main.cf

and added the following lines

Code: Select all

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

I then restarted

Code: Select all

service postfix restart

and did my new scan and got it to come back clean! I never would have thought to check that!