Page 1 of 1
SSL/TLS version in use
Posted: Mon Dec 05, 2016 5:23 pm
by gormank
Hi,
I need info on whether TLS is supported, what version and if not supported what version of SSL is in use/available. The below list is what I can think of, anything else?
Nagios web pages
Nagios and NRPE and NSCPP
Nagios and NSCP
This is related to the new set of systems being built and the protocols/versions that will be allowed.
If TLS 1.2 is not supported, then we need an upgrade path/plan for the future in order to get an exception.
Thanks
Re: SSL/TLS version in use
Posted: Mon Dec 05, 2016 5:45 pm
by avandemore
Nagios and NRPE both depend on the base system encryption tools. This is all openssl by default and any modern version is going to support SSL v2,v3 and TLS. What's enabled out of the box is largely dependant on the systems involved as it isn't just Nagios side of thing which determines what cipher and handshake methods are acceptable.
To see if your local system supports TLS 1.2 as you can do this:
Code: Select all
openssl s_client -connect <nagios host>:443 -tls1_2
To get a full listing of what the OS supports:
NSCP is a different issue, you'll want to consult their documentation for whatever version you are using:
https://docs.nsclient.org/0.4.4/
Re: SSL/TLS version in use
Posted: Mon Dec 05, 2016 6:05 pm
by gormank
I seem to recall that you posted a link to an NRPE web site some time back? I can't find it and searching the internet hasn't come up w/ much. Could you let me have that again?
I'll also have a look at the NSCP site for more info.
From the connect I see the following, which looks promising. The cipher list wasn't much help.
Code: Select all
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Code: Select all
# openssl ciphers | tr : "\n"
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
DES-CBC3-SHA
IDEA-CBC-SHA
PSK-AES128-CBC-SHA
PSK-3DES-EDE-CBC-SHA
KRB5-IDEA-CBC-SHA
KRB5-DES-CBC3-SHA
KRB5-IDEA-CBC-MD5
KRB5-DES-CBC3-MD5
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
PSK-RC4-SHA
KRB5-RC4-SHA
KRB5-RC4-MD5
Re: SSL/TLS version in use
Posted: Tue Dec 06, 2016 10:43 am
by avandemore
Maybe this document?
https://assets.nagios.com/downloads/nag ... e/NRPE.pdf
This the official repo --
https://github.com/NagiosEnterprises/nrpe
NRPE is going to use the SSL cert it's configured to use. So if that happens to be an SSLv3/TLS cert, it will use this. This is most likely going to be set at the remote end as check_nrpe is acting as the client.
Both client and server can set what is acceptable encryption per openssl mechanisms. Server side this is dependent on the certificate being used. Client side you can test as such:
Code: Select all
openssl s_client -connect <nagios host>:443 -ssl2
A failure would indicate SSLv2 is disabled at the cert level, and the client would only accept SSLv2.
Code: Select all
# /usr/local/nagios/libexec/check_nrpe -h
Will show how to construct a NRPE query using only select ciphers and other SSL config option for example if you are using a PKI.