NRPE and kernel fips=1
Posted: Tue Mar 06, 2012 2:32 pm
After running DISA STIG compliance checks our ssl communications to the nrpe daemon started failing with the following error:
Mar 3 08:00:23 XXXXXXXX nrpe[1234]: Error: Could not complete SSL handshake. 1
After reading the README.SSL file I see where it mentioned to run 'openssl dhparam -C 512' to create the dh.h before running a recompile, but the kernel fips mode was keeping this from running properly as I think it requires 1024 or higher. I did the following from the main nrpe source directory to fix it temporarily, but I'm hoping the devs will see this and fix it in future builds and hopefully the EPEL repository later on
.
openssl dhparam -C 1024 > include/dh.h
vi configure
# Changed this
# $sslbin dhparam -C 512 | awk '/^-----/ {exit} {print}' > include/dh.h
# to this
$sslbin dhparam -C 1024 | awk '/^-----/ {exit} {print}' > include/dh.h
vi src/nrpe.c
# Changed this
# dh=get_dh512();
# to this
dh=get_dh1024();
I then re-compiled the software(using a src rpm & rpmbuild) and it seems to be happy. As of right now we just notice the problem with nrpe because the nagios server hasn't been tested in fips mode yet.
Mar 3 08:00:23 XXXXXXXX nrpe[1234]: Error: Could not complete SSL handshake. 1
After reading the README.SSL file I see where it mentioned to run 'openssl dhparam -C 512' to create the dh.h before running a recompile, but the kernel fips mode was keeping this from running properly as I think it requires 1024 or higher. I did the following from the main nrpe source directory to fix it temporarily, but I'm hoping the devs will see this and fix it in future builds and hopefully the EPEL repository later on
.openssl dhparam -C 1024 > include/dh.h
vi configure
# Changed this
# $sslbin dhparam -C 512 | awk '/^-----/ {exit} {print}' > include/dh.h
# to this
$sslbin dhparam -C 1024 | awk '/^-----/ {exit} {print}' > include/dh.h
vi src/nrpe.c
# Changed this
# dh=get_dh512();
# to this
dh=get_dh1024();
I then re-compiled the software(using a src rpm & rpmbuild) and it seems to be happy. As of right now we just notice the problem with nrpe because the nagios server hasn't been tested in fips mode yet.