NRPE cipher list woes
Posted: Tue Sep 15, 2020 11:27 am
Greetings. I'm having some infernal issues with something that should be really easy, I think, so my assumption at this point is PEBCAK, but I will defer to the community to pass judgement. 
Anyway - I'm being told that my NRPE agents/clients are susceptible to SWEET32, i.e. 64-bit ciphers right? Trying to fix this issue is getting me nowhere fast.
My server is RHEL7, check_nrpe v4.0.3
My client is RHEL8, nrpe v4.0.3
Here's what my ssl info looks like on my NRPE client:
My nagios server sees this:
Also:
Modifying my nrpe.cfg to echo what's supposedly default:
renders
and
Obviously I'm missing something, and I really hope it's one of those "well duh" things, and if so, I do apologize and will gratefully accept rebuke, but I seem stuck! I have read the docs at openssl, but I can't seem to adapt the information there to anything that works.
Thank you kindly in advance!
Anyway - I'm being told that my NRPE agents/clients are susceptible to SWEET32, i.e. 64-bit ciphers right? Trying to fix this issue is getting me nowhere fast.
My server is RHEL7, check_nrpe v4.0.3
My client is RHEL8, nrpe v4.0.3
Here's what my ssl info looks like on my NRPE client:
Code: Select all
# grep ssl nrpe.cfg | grep -v ^#
ssl_version=TLSv1.2+Code: Select all
# ./check_nrpe -H <redacted>
NRPE v4.0.3Code: Select all
# nmap -sV --script ssl-enum-ciphers -p 5666 <redacted>
Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-15 16:16 UTC
Nmap scan report for <redacted>
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
5666/tcp open ssl/nrpe?
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken
| TLS_DH_anon_WITH_AES_128_CBC_SHA - broken
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 - broken
| TLS_DH_anon_WITH_AES_128_GCM_SHA256 - broken
| TLS_DH_anon_WITH_AES_256_CBC_SHA - broken
| TLS_DH_anon_WITH_AES_256_CBC_SHA256 - broken
| TLS_DH_anon_WITH_AES_256_GCM_SHA384 - broken
| compressors:
| NULL
|_ least strength: broken
MAC Address: <redacted>
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.70 secondsCode: Select all
# grep ssl nrpe.cfg | grep -v ^#
ssl_version=TLSv1.2+
ssl_cipher_list=ALL:!MD5:@STRENGTHCode: Select all
# ./check_nrpe -H <redacted>
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with <redacted>: 1Code: Select all
# nmap -sV --script ssl-enum-ciphers -p 5666 <redacted>
Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-15 16:21 UTC
Nmap scan report for <redacted>
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
5666/tcp open ssl/nrpe?
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
|_ TLSv1.2: No supported ciphers found
MAC Address: <redacted>
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.69 secondsThank you kindly in advance!