NRPE cipher list woes

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Mickoloh
Posts: 1
Joined: Tue Sep 15, 2020 11:07 am

NRPE cipher list woes

Post by Mickoloh »

Greetings. I'm having some infernal issues with something that should be really easy, I think, so my assumption at this point is PEBCAK, but I will defer to the community to pass judgement. :)

Anyway - I'm being told that my NRPE agents/clients are susceptible to SWEET32, i.e. 64-bit ciphers right? Trying to fix this issue is getting me nowhere fast.

My server is RHEL7, check_nrpe v4.0.3
My client is RHEL8, nrpe v4.0.3

Here's what my ssl info looks like on my NRPE client:

Code: Select all

# grep ssl nrpe.cfg  | grep -v ^#
ssl_version=TLSv1.2+
My nagios server sees this:

Code: Select all

# ./check_nrpe -H <redacted>
NRPE v4.0.3
Also:

Code: Select all

# nmap -sV --script ssl-enum-ciphers -p 5666 <redacted>

Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-15 16:16 UTC
Nmap scan report for <redacted>
Host is up (0.00033s latency).
PORT     STATE SERVICE   VERSION
5666/tcp open  ssl/nrpe?
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken
|       TLS_DH_anon_WITH_AES_128_CBC_SHA - broken
|       TLS_DH_anon_WITH_AES_128_CBC_SHA256 - broken
|       TLS_DH_anon_WITH_AES_128_GCM_SHA256 - broken
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - broken
|       TLS_DH_anon_WITH_AES_256_CBC_SHA256 - broken
|       TLS_DH_anon_WITH_AES_256_GCM_SHA384 - broken
|     compressors:
|       NULL
|_  least strength: broken
MAC Address: <redacted>

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.70 seconds
Modifying my nrpe.cfg to echo what's supposedly default:

Code: Select all

# grep ssl nrpe.cfg  | grep -v ^#
ssl_version=TLSv1.2+
ssl_cipher_list=ALL:!MD5:@STRENGTH
renders

Code: Select all

# ./check_nrpe -H <redacted>
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with <redacted>: 1
and

Code: Select all

# nmap -sV --script ssl-enum-ciphers -p 5666 <redacted>

Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-15 16:21 UTC
Nmap scan report for <redacted>
Host is up (0.00028s latency).
PORT     STATE SERVICE   VERSION
5666/tcp open  ssl/nrpe?
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|_  TLSv1.2: No supported ciphers found
MAC Address: <redacted>

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds
Obviously I'm missing something, and I really hope it's one of those "well duh" things, and if so, I do apologize and will gratefully accept rebuke, but I seem stuck! I have read the docs at openssl, but I can't seem to adapt the information there to anything that works.

Thank you kindly in advance!
Top
Locked

Return to “Open Source Nagios Projects”