Nagios Support Forum

I am running a PCI scan and NRPE is showing up as having weak or medium ciphers. With other applications there were ways to adjust this to only allow strong ciphers. Is there any way to do this in nagios?

First question would be, what clients are you running nrpe on, and which specific nrpe agent? There are ways to do this though!

I have the same question for nrpe 2.13. Is it the set_cipher_list that needs to be changed?

check_nrpe.c:SSL_CTX *ctx;
check_nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
check_nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
check_nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
check_nrpe.c: SSL_CTX_free(ctx);
check_nrpe.c: SSL_CTX_free(ctx);
nrpe.c:SSL_CTX *ctx;
nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
nrpe.c: SSL_CTX_set_tmp_dh(ctx,dh);
nrpe.c: SSL_CTX_free(ctx);

I'm not quite sure. We have an internal bug fix open for this but I don't think a patch has been made. I'm not a C developer so I wouldn't feel comfortable weighing in on a security issue. My gut says to change the SSL_CTW_set_cipher_list to something other than ADH (since that seems to be the weak cipher) but again I can't say for sure not being a dev.

Tried changing the cipher_list.-- no joy.
Must be more complicated than that.

This is on the NRPE devs' radars. They are working on it, and it is a bit more complicated than it first appears.

abrist wrote:This is on the NRPE devs' radars. They are working on it, and it is a bit more complicated than it first appears.

Hi, has there perhaps been any update or progress in regards to this ?

Wow. I think you just won the "oldest posting that really needs a status update" award!

Not yet. There is some work being done on nrpe, but it may lead to a more thoughtful rewrite. I would watch the issues on the github page:
https://github.com/NagiosEnterprises/nrpe/issues/4