New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nrpe and "Insecure SSL chiphers (DH512 Bit)" cause failed connection on Ubuntu Linux 14 #30
Comments
We can handle the NRPE side, but NSClient++ is a third-party project that we have no control over. In regards to NRPE, this has been addressed in at least the following PRs: and possibly elsewhere. @jfrickson and I are discussing this internally and will be taking action likely some time after the conference. |
Thank you, |
Posted the Nsclient++ Part of the question to |
Just a heads-up, @jfrickson sent me some literature to review regarding SSL and NRPE, so we're definitely still working on this! |
Hi, To be able to use ciphers more configureable I have added the new argument "-C" for ./check_nrpe. /usr/lib/nagios/plugins/check_nrpe -H 10.10.0.155 -p 5666 -C DHE-RSA-AES256-GCM-SHA384 This are the changes i have done. sudo diff -u check_nrpe_original.c check_nrpe_fertig.c
Best Regards, |
I have a complete and backward-compatible update for SSL/TLS in https://github.com/NagiosEnterprises/nrpe/tree/nrpe-2-16-RC2 Please read the README.SSL.md file. |
Hi,
I am using check_nrpe command from version nrpe-2.15 together
with Ubuntu Linux 14 together with NSclient++ (version NSCP-0.4.3.143-x64.msi)
Because the in openssl on ubuntu the length of DH Parameters must be > 768 Bits
(See https://wiki.ubuntu.com/SecurityTeam/Kn ... ase/LogJam for example)
this configuration stopped working, because nrpe-2.15 and NSCP-0.4.3.143-x64.msi use DH parameters
of lenght 512 Bits.
To fix my problems
//SSL_CTX_set_cipher_list(ctx,"ADH");
SSL_CTX_set_cipher_list(ctx,"DHE-RSA-AES256-GCM-SHA384");
and got a working setup:
unilab@sattelit01:~/nrpe_plugin/nrpe-2.15/src$ ./check_nrpe -H 10.100.1.21
I (0.4.3.143 2015-04-29) seem to be doing fine...
Question: I think there is a general need to reflect the "disable insecure ciphers in SSL libraries"
to the nrpe-client and server by using "secure" ciphers or making the choosing of used ciphers
more configureable.
Can this be done in upstream?
Best Regards,
Achim
The text was updated successfully, but these errors were encountered: