nrpe and "Insecure SSL chiphers (DH512 Bit)" cause failed co
Posted: Fri Sep 25, 2015 3:57 am
Hi,
I am using check_nrpe command from version nrpe-2.15 together
with Ubuntu Linux 14 together with NSclient++ (version NSCP-0.4.3.143-x64.msi)
Because the in openssl on ubuntu the length of DH Parameters must be > 768 Bits
(See https://wiki.ubuntu.com/SecurityTeam/Kn ... ase/LogJam for example)
this configuration stopped working, because nrpe-2.15 and NSCP-0.4.3.143-x64.msi use DH parameters
of lenght 512 Bits.
To fix my problems
1. I changed on NSclient++ the File security\nrpe_dh_512.pem to a 1024 Bit Version using "openssl dhparam -C 1024"
2. I changed in sourcetree of nrpe-2.15 File check_nrpe.c to make use of the cipher the command "openssl s_client" did in testconnection handshake.
//SSL_CTX_set_cipher_list(ctx,"ADH");
SSL_CTX_set_cipher_list(ctx,"DHE-RSA-AES256-GCM-SHA384");
and got a working setup:
unilab@sattelit01:~/nrpe_plugin/nrpe-2.15/src$ ./check_nrpe -H 10.100.1.21
I (0.4.3.143 2015-04-29) seem to be doing fine...
Question: I think there is a general need to reflect the "disable insecure ciphers in SSL libraries"
to the nrpe-client and server by using "secure" ciphers or making the choosing of used ciphers
more configureable.
Can this be done in upstream?
Best Regards,
Achim
I am using check_nrpe command from version nrpe-2.15 together
with Ubuntu Linux 14 together with NSclient++ (version NSCP-0.4.3.143-x64.msi)
Because the in openssl on ubuntu the length of DH Parameters must be > 768 Bits
(See https://wiki.ubuntu.com/SecurityTeam/Kn ... ase/LogJam for example)
this configuration stopped working, because nrpe-2.15 and NSCP-0.4.3.143-x64.msi use DH parameters
of lenght 512 Bits.
To fix my problems
1. I changed on NSclient++ the File security\nrpe_dh_512.pem to a 1024 Bit Version using "openssl dhparam -C 1024"
2. I changed in sourcetree of nrpe-2.15 File check_nrpe.c to make use of the cipher the command "openssl s_client" did in testconnection handshake.
//SSL_CTX_set_cipher_list(ctx,"ADH");
SSL_CTX_set_cipher_list(ctx,"DHE-RSA-AES256-GCM-SHA384");
and got a working setup:
unilab@sattelit01:~/nrpe_plugin/nrpe-2.15/src$ ./check_nrpe -H 10.100.1.21
I (0.4.3.143 2015-04-29) seem to be doing fine...
Question: I think there is a general need to reflect the "disable insecure ciphers in SSL libraries"
to the nrpe-client and server by using "secure" ciphers or making the choosing of used ciphers
more configureable.
Can this be done in upstream?
Best Regards,
Achim