Nagios Support Forum

Posted: **Wed Jan 18, 2017 9:34 am**

Hello,

Is there any documentation on how to use ssl certificates on NRPE v3 with NSClient++? I found this docs: https://www.google.be/url?sa=t&rct=j&q= ... qZhPVxJT6A

And I can see in the generated config for NRPE v3:

Code: Select all

# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.

# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
#        TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.

#ssl_version=SSLv2+

# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.

#ssl_use_adh=1

# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something like the example below in a later version of NRPE.

#ssl_cipher_list=ALL:!MD5:@STRENGTH
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH

# SSL Certificate and Private Key Files

#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem

# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
#         1 = Ask for client certificates
#         2 = Require client certificates

#ssl_client_certs=0

# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.

# Values: 0x00 (0)  = No additional logging (default)
#         0x01 (1)  = Log startup SSL/TLS parameters
#         0x02 (2)  = Log remote IP address
#         0x04 (4)  = Log SSL/TLS version of connections
#         0x08 (8)  = Log which cipher is being used for the connection
#         0x10 (16) = Log if client has a certificate
#         0x20 (32) = Log details of client's certificate if it has one
#         -1 or 0xff or 0x2f = All of the above

#ssl_logging=0x00

But I can't find any documentation if it's possible to get this working with NSCLient++ and if so how this would be done the NSCLient side. Has this been tested yet? Am I reading it correctly that there is no way to configure ssl ciphers yet and we are stuck with 'ALL:!MD5:@STRENGTH' for now?
Michael Medin made a post in 2012 about this https://medin.name/2012/12/02/securing- ... entication but it seem to no longer exist..

Grtz

Willem

Posted: **Wed Jan 18, 2017 4:43 pm**

Unfortunately not, I have tried for DAYS to get NSClient++ to NSClient++ client certificates setup and working per his info but I am unable to get it to work, I think it's likely a bug in the implementation but I can't be sure since I know nothing about his codebase.

I have also tried to get a NRPE 3+ to NSClient++ setup with client certificates (with verification) working and I have been unable to get it to work either.

I was able to get SSL working and passing the allowed ciphers but any time I had it try to validate the peer certificates it would fail. I'm also not sure if it was actually using the certificates because there is no debug info for the SSL stuff (well not enough to tell me why it's not verifying properly or if it's actually using/accepting the certificates) and I was unable to find any additional documentation to get it to.

What is also strange is that it still uses the DH key (I had to generate a 2048 bit length one since it comes by default with only 512) but that shouldn't have even been used, which leads me to believe it's a bug in the implementation.

I tried with 3 different versions of NSClient++.

If you want to try it, he moved it, you can access the page he posted here:

https://www.medin.name/blog/2012/12/02/ ... ntication/

Let me know if you have any questions.

Thank you

Posted: **Wed Jan 18, 2017 5:29 pm**

Ah ok good to know two-way ssl between check_nrpe and NSCLient isn't possible yet. Can you elaborate somehow on the 2048bit certificate that is generated during the NRPE 3 installation? If it's not working with NSClient, is it's single purpose then for check_nrpe to nrpe-agent communication? How is the NRPE traffic encrypted between NRPE v3 and NSCLient with a default installation?
Where are these certificates installed? I'd love to see an example nrpe.cfg for NRPE v3 which has been configured for 'optimal' encryption.

Also does it work with NCPA? (Unfortunately I cannot migrate to NCPA as I'm heavily relying on the real-time eventlog monitoring capabilities of NSCLient++)

Posted: **Wed Jan 18, 2017 6:01 pm**

The developer's response:

check_nrpe doesn't use the DH key, only the NRPE daemon on the remote. It's required if check_nrpe is a 2.x version. If both ends are 3.x, better SSL ciphers are available.

What I mean was I had to set the DH key on the NSClient++ side, by default it uses a 512 bit one, I just ran the command below on my XI server and used it in place of the 512 one in the NSClient++ security directory:

Code: Select all

openssl dhparam -out nrpe_dh_2048.pem 2048

I had to make it match my certificate length (I tried 4096 and 2048).

The default NRPE and NSCLient is still SSL but it's doing a DH key exchange.

Posted: **Thu Jan 19, 2017 1:15 am**

Have you tried this? Hopefully box293 can help out on this

Here is the install guide:
https://support.nagios.com/kb/article.php?id=515

An upgrade guide:
https://support.nagios.com/kb/article.php?id=520

NRPE v3 Enhanced Security
https://support.nagios.com/kb/article.php?id=519

check_nrpe v3 Config File
https://support.nagios.com/kb/article.php?id=517

How to use the "payload length" argument in nsclient.ini to allow for more data to be returned.
https://support.nagios.com/kb/article.php?id=518

Posted: **Thu Jan 19, 2017 4:47 am**

@rajasegar I've read through all of those. Upgraded NRPE to 3.0.1 on my QA XI server.

@ssax
Sorry for all the questions, I have some knowledge of PKI, but mostly MS PKI and web certificates.
So DH works but EDH doesn't? As we have a private MS PKI, my certitficates are generated in .pfx format, not with openssl. If I generate a 2048 bit pfx certificate which I transform with openssl to a full chain pem and put it in the security folder of NSClient++, this will not work as ?

Reading this:

Code: Select all

# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something like the example below in a later version of NRPE.

#ssl_cipher_list=ALL:!MD5:@STRENGTH
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH

Does this mean we can only use 'ALL:!MD5:@STRENGTH' now for ciphers?

Also does the client certificates setup work with NCPA?
Where are the NRPE 3 2048 bit certificates installed?
Could someone post an example nrpe.cfg / check_nrpe command for NRPE v3 which has been configured for 'optimal' encryption and which is supported to work with NSClient++ 0.5.x?

Thanks.

Willem

Posted: **Thu Jan 19, 2017 6:05 pm**

No, you should still be able to specify the allowed ciphers that you want it to use, I will need to work with our C developer and ask him about where the 2048 DH key is stored, he said only NRPE 2.X queries should use the DH key (that's why I was wondering why the DH key even mattered when I was passing actual certificates), it might be stored in the binary.

Let me lab it up again on Monday and I'll do some packet inspection to see what it's actually using and if it's accepting my parameters so I can get a better idea, if you don't hear from me by end of day Monday, reply on here so it pops up the dashboard.

Thank you

Posted: **Thu Jan 19, 2017 6:08 pm**

Oh, I said Monday because I'm out of the office tomorrow and won't be back until Monday so have a good weekend!

Posted: **Thu Jan 19, 2017 8:05 pm**

Hopefully someone in Nagios can come up with a simple guide on how to setup nrpe 3.0.1 with the NSClient++.

Thanks in advance.

Posted: **Fri Jan 20, 2017 4:48 am**

Setting up NRPE 3.0.1 to work with NSCLient++ is very doable following the existing documentation (tip => create a check_nrpe_v3 plugin so you can run both version next to each other) and not that hard. It's getting it to work with proper SSL certificates generated by a private CA that's the hard part. At this moment, the SSL option of the NRPE plugin and server does not perform authentication. It's only a DH key, which is generated at compilation time. Ideally EDH/ECDH should be used with stong ciphers and limited protocols:

This is the setup needed for an SSLLabs A+ rating and imho this is where NRPE should be going.

Code: Select all

SSLCipherSuite => AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
SSLProtocol => -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

The problem with all this is in the communication between Nagios and Michael Medin. They both claim the other half has a buggy 'insecure' implementation of the NRPE protocol. If Nagios really thinks the issue is on the NSClient++ side, a stongly documented GitHub issue should be created in https://github.com/mickem/nscp/issues. As far as I know there is currently no GitHub issue for this problem. At this time Michael even made his own version of NRPE, which is called check_nscp_rnpe I think. But the documentation on his own implementation is limited...

Nagios Support Forum

NRPEv3 ssl

NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl

Re: NRPEv3 ssl