Nagios Support Forum

Hello, I saw an article where Nagios XI only supports TLS 1.0. I was hoping to switch it to something more relevant and secure like tls 1.2 or 1.3

Do you know if this is possible or supported?

Thanks!

Ryan

The version of TLS negotiated is determined by the version of OpenSSL on both the client and the server machines. When making connections, Nagios XI tries not to dictate what TLS version SSL connections happen with, instead allowing protocol and cipher negotiation to happen automatically wherever possible.

Actually, the protocols used for incoming SSL connections (including those to the API and the passive check listener) would be up to Apache's configuration. Apache has a good document on how to set your server's SSL protocol and cipher suite negotiation settings for maximum security: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

TLS 1.3 has been available since OpenSSL 1.1.0, so if your installed version of OpenSSL is 1.1.0 or later, you have TLS 1.3 support. CentOS 8 has this installed, but Cent7 doesn't. Our Nagios XI VMware images are built on top of CentOS 7.

TLS 1.2 has been available for far longer (~2013), and is supported in all the default versions of OpenSSL that ship with every distro we support.

Check what version you have installed using the following command: What article said we didn't support TLS 1.2, and when was it written?

Hi,

Thanks for the response. I realized in my first response I may have not given enough information. The issue I am having is when my Nagios server sends email notifications out, under the security settings, I have none, tls, and ssl. I pick tls, and when we do a wireshark pcap, it comes across as tls 1.0. I did read that the tls version for email notifications is dictated by the version of phpmailer that we have, which according to another nagios forum article is outdated. I am going to try and update phpmailer to 7.2 and see if that fixes it.

My apologies for any confusion, does this sound right to you?

Thanks!

TLS 1.3 would need to be supported (and configured) on the mail server running at the SMTP server address you give it.

Encrypted communication to mail servers is typically one of two routes:
1. SSL connection on port 465 or 587.
2. Plaintext connection on port 25 where TLS encryption is negotiated in plaintext via a "STARTTLS" command.

What's the full output from the following commands?

bash: MAIL: No such file or directory

But we are doing tls over 25 so I think this makes sense right?

Thanks!

I meant, replace "<MAIL SERVER ADDRESS>" with the host name or IP address of the host you have Nagios XI set up to connect over SMTP to send mail, and run those commands.

Oh Gosh, my bad. If I replace that with my mail server address, I get a syntax error. It looks like the TLS1_3 does not exist as a command, but TLS1_2 does. If I run that, I get the following output on both ports.

[ryanc@monitor-new ~]$ openssl s_client -tls1_2 -connect MYMAILSERVER:587 </dev/null
CONNECTED(00000003)
140357726160784:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1617035247
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

What happens if you run this command (removing "-tls1_2")?

CONNECTED(00000003)
140158444750736:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1617055435
Timeout : 300 (sec)
Verify return code: 0 (ok)

What's the output from this?: Also, is your XI server IP whitelisted to send mail on the Postfix server?