Nagios Support Forum

Posted: **Thu Mar 29, 2018 1:35 pm**

I'm trying to setup my NRPE server (v. 3.2.0) with TLS. openssl version on the system is 1.0.1e. Platform is RHEL6.9. The key is 2048-bit RSA. NRPE is running as a standalone service (i.e. not via xinetd).

Code: Select all

# grep ^ssl /etc/nagios/nrpe.cfg
ssl_version=TLSv1.2
ssl_cipher_list=EECDH+AESGCM
ssl_cacert_file=/etc/nagios/ssl/ca-chain.cert.pem
ssl_cert_file=/etc/nagios/ssl/nrpe.crt
ssl_privatekey_file=/etc/nagios/ssl/nrpe.key
ssl_logging=0x01

With the settings above, check_nrpe will not successfully negotiate an SSL handshake. In addition, both nmap and sslscan report NO ciphers supported for the connection. I will note that EECDH+AESGCM works perfectly in Apache; the supported ciphers for Apache (also using an RSA key) end up being:

Code: Select all

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256

So, then I changed ssl_cipher_list to "AESGCM:!ADH". SSL now works, but the ciphers do NOT include ECDHE, only these:

Code: Select all

    Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-GCM-SHA256

I also tried completely removing the "ssl_cipher_list" specification, but with that config there are still no ECDHE ciphers in the list.

I don't understand why ECDHE isn't offered by NRPE? Can someone enlighten me?

Posted: **Thu Mar 29, 2018 3:51 pm**

This sounds more like a feature request for NRPE, please feel free to make the request at the NRPE open source project site, or better yet, feel free to provide a pull request with the desired changes.

https://github.com/NagiosEnterprises/nrpe

Posted: **Fri Mar 30, 2018 8:01 am**

Hi, Scott.

I'm not sure I understand why this would be a "feature request".

This link https://support.nagios.com/forum/viewto ... 16&t=41448 says things like

Nagios and NRPE both depend on the base system encryption tools

NRPE is going to use the SSL cert it's configured to use.

So if openssl supports ECDHE

Code: Select all

# openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA: [lots more]

then why wouldn't NRPE ?

Posted: **Fri Mar 30, 2018 9:02 am**

erichymowitz wrote:I'm not sure I understand why this would be a "feature request".

Sorry, that came out of my fingers wrong, lets call it an issue
https://github.com/NagiosEnterprises/nrpe/issues

Posted: **Fri Mar 30, 2018 12:39 pm**

I did a bit more testing.

After compiling/installing openssl 1.1.0h, and then recompiling NRPE 3.2.1, I found that ECDHE ciphers are now working.

In other words, for some reason NRPE requires OpenSSL 1.1+ for ECDHE ciphers to work.

I'm going to go out on a limb and guess that there's a conditional in the code that's not quite right. There's no technical reason (that I'm aware of) that ECDHE ciphers should not work using openssl 1.0.1e.

I will submit this as an issue. Thanks.

Posted: **Fri Mar 30, 2018 2:05 pm**

rcjacobson wrote:I will submit this as an issue. Thanks.

Thanks, and glad to hear at least it is working with 1.1+

Nagios Support Forum

nagios/nrpe 3.2.0 does not support ECDHE?

nagios/nrpe 3.2.0 does not support ECDHE?

Re: nagios/nrpe 3.2.0 does not support ECDHE?

Re: nagios/nrpe 3.2.0 does not support ECDHE?

Re: nagios/nrpe 3.2.0 does not support ECDHE?

Re: nagios/nrpe 3.2.0 does not support ECDHE?

Re: nagios/nrpe 3.2.0 does not support ECDHE?