about the "dh key too small" error
Posted: Wed Oct 14, 2020 5:46 am
Hi all,
Could anyone advise me on how to fix this problem? I have obtained quite a lot of information from my configuration but am now running out of ideas for a solution. All systems are Unix. Mostly Linux with a few Solaris. I have two Nagios servers: A long standing system running SLC6 (a variant of Centos 6) and a new one running Centos 8. Both are running nrpe-plugins vers. 4.0.3 and both use check_nrpe to check clients.
I have a large set of clients running the nrpe daemon. Mostly they run SLC6 and Centos 7 and both Nagios servers can access them using check_nrpe. There are a few older clients, running SLC5 (a variant of Centos 5) and some old Solaris boxes. The SLC6 server can access their clients but the new Centos 8 one's check_nrpe probes fail with the above error -- this is despite both servers running the same version of check_nrpe (4.0.3).
My suspicions turned to the openssl configuration on the Centos 8 server so I changed its system wide crypto policy in /etc/crypto-policies/config from DEFAULT to LEGACY and ran 'update-crypto-policies --set' and rebooted to update the back-ends but it made no difference. Centos8 has openssl-1.1.1c and SLC6 has openssl-1.0.1e.
I tried running,
on both servers. On the SLC6 server the logs report,
On the Centos 8 server I get,
I also tried watching the network traffic between the servers and clients with wireshark using 'tshark -d tcp.port==5666,ssl'. For the SLC6 server the difference it shows between the problem/older clients and the others is with the newer clients TLSv1.2 protocol is being used whereas the older clients use TLSv1.
Suspecting the older clients might actually only be accepting a 512 byte DH key I tried hacking the check_nrpe source code, which creates 2048 byte key by default, to force it to create a 512byte one. However it made no difference. This was not altogether unexpected since the SLC6 server's check_nrpe also creates a 2048byte key but I though it worth a try.
I tried various other random things on the Centos8 server check_nrpe command line but w/o success; including
'-2' and '-3' for the older nrpe packet types, stipulating various SSL protocols, '--ssl-version=TLSv1', '--ssl-version=TLSv1+', '--ssl-version=SSLv3+' and various incantations of cipher list, eg. '--cipher-list='DEFAULT:!DH'. Incidently trying the '--ssl-version=SSLv3+' on the older SLC6 server also fails with the same SSL handshake error -- I expect because SSLv3 protocol is rightly also disabled there for security reasons.
I particularly don't want to have to tamper with/upgrade the older clients nrpe daemons, particularly not the Solaris systems but some time back I did try temporarily turning off SSL on one SLC5's client's nrpe daemon and using 'check_nrpe -n' on the Centos 8 server which did work.
Instead I really want to get the Centos 8 server (a dev-system which is intended to replace the SLC6 server) to work with the clients as the SLC6 server does.
As mentioned above, I am running out of ideas for things to try.
Any thoughts?
Best regards.
Could anyone advise me on how to fix this problem? I have obtained quite a lot of information from my configuration but am now running out of ideas for a solution. All systems are Unix. Mostly Linux with a few Solaris. I have two Nagios servers: A long standing system running SLC6 (a variant of Centos 6) and a new one running Centos 8. Both are running nrpe-plugins vers. 4.0.3 and both use check_nrpe to check clients.
I have a large set of clients running the nrpe daemon. Mostly they run SLC6 and Centos 7 and both Nagios servers can access them using check_nrpe. There are a few older clients, running SLC5 (a variant of Centos 5) and some old Solaris boxes. The SLC6 server can access their clients but the new Centos 8 one's check_nrpe probes fail with the above error -- this is despite both servers running the same version of check_nrpe (4.0.3).
My suspicions turned to the openssl configuration on the Centos 8 server so I changed its system wide crypto policy in /etc/crypto-policies/config from DEFAULT to LEGACY and ran 'update-crypto-policies --set' and rebooted to update the back-ends but it made no difference. Centos8 has openssl-1.1.1c and SLC6 has openssl-1.0.1e.
I tried running,
Code: Select all
/usr/lib64/nagios/plugins/check_nrpe --ssl-logging=-1 -H slc5-system-client-hostname -c check_loadCode: Select all
Aug 28 18:29:10 slc6-server check_nrpe: SSL Certificate File: None
Aug 28 18:29:10 slc6-server check_nrpe: SSL Private Key File: None
Aug 28 18:29:10 slc6-server check_nrpe: SSL CA Certificate File: None
Aug 28 18:29:10 slc6-server check_nrpe: SSL Cipher List: ALL:!MD5:@STRENGTH
Aug 28 18:29:10 slc6-server check_nrpe: SSL Allow ADH: 1
Aug 28 18:29:10 slc6-server check_nrpe: SSL Log Options: 0xffffffff
Aug 28 18:29:10 slc6-server check_nrpe: SSL Version: TLSv1_plus And Above
Aug 28 18:29:10 slc6-server check_nrpe: Connected to XXX.XXX.XXX.XXX
Aug 28 18:29:10 slc6-server check_nrpe: Remote XXX.XXX.XXX.XXX - SSL Version: TLSv1
Aug 28 18:29:10 slc6-server check_nrpe: Remote XXX.XXX.XXX.XXX - TLSv1/SSLv3, Cipher is ADH-AES256-SHA
Aug 28 18:29:10 slc6-server check_nrpe: SSL Did not get certificate from XXX.XXX.XXX.XXX
Aug 28 18:29:10 slc6-server check_nrpe: Remote XXX.XXX.XXX.XXX accepted a version 2 packetCode: Select all
Aug 28 18:32:25 centos8-server check_nrpe: SSL Certificate File: None
Aug 28 18:32:25 centos8-server check_nrpe: SSL Private Key File: None
Aug 28 18:32:25 centos8-server check_nrpe: SSL CA Certificate File: None
Aug 28 18:32:25 centos8-server check_nrpe: SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0
Aug 28 18:32:25 centos8-server check_nrpe: SSL Allow ADH: 1
Aug 28 18:32:25 centos8-server check_nrpe: SSL Log Options: 0xffffffff
Aug 28 18:32:25 centos8-server check_nrpe: SSL Version: TLSv1_plus And Above
Aug 28 18:32:25 centos8-server check_nrpe: Connected to XXX.XXX.XXX.XXX
Aug 28 18:32:25 centos8-server check_nrpe: Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with XXX.XXX.XXX.XXX: dh key too smallSuspecting the older clients might actually only be accepting a 512 byte DH key I tried hacking the check_nrpe source code, which creates 2048 byte key by default, to force it to create a 512byte one. However it made no difference. This was not altogether unexpected since the SLC6 server's check_nrpe also creates a 2048byte key but I though it worth a try.
I tried various other random things on the Centos8 server check_nrpe command line but w/o success; including
'-2' and '-3' for the older nrpe packet types, stipulating various SSL protocols, '--ssl-version=TLSv1', '--ssl-version=TLSv1+', '--ssl-version=SSLv3+' and various incantations of cipher list, eg. '--cipher-list='DEFAULT:!DH'. Incidently trying the '--ssl-version=SSLv3+' on the older SLC6 server also fails with the same SSL handshake error -- I expect because SSLv3 protocol is rightly also disabled there for security reasons.
I particularly don't want to have to tamper with/upgrade the older clients nrpe daemons, particularly not the Solaris systems but some time back I did try temporarily turning off SSL on one SLC5's client's nrpe daemon and using 'check_nrpe -n' on the Centos 8 server which did work.
Instead I really want to get the Centos 8 server (a dev-system which is intended to replace the SLC6 server) to work with the clients as the SLC6 server does.
As mentioned above, I am running out of ideas for things to try.
Any thoughts?
Best regards.