nrpe and "Insecure SSL chiphers (DH512 Bit)" cause failed connection on Ubuntu Linux 14

[grolms]

Hi,

I am using check_nrpe command from version nrpe-2.15 together
with Ubuntu Linux 14 together with NSclient++ (version NSCP-0.4.3.143-x64.msi)

Because the in openssl on ubuntu the length of DH Parameters must be > 768 Bits
(See https://wiki.ubuntu.com/SecurityTeam/Kn ... ase/LogJam for example)
this configuration stopped working, because nrpe-2.15 and NSCP-0.4.3.143-x64.msi use DH parameters
of lenght 512 Bits.

To fix my problems

1. I changed on NSclient++ the File security\nrpe_dh_512.pem to a 1024 Bit Version using "openssl dhparam -C 1024"
2. I changed in sourcetree of nrpe-2.15 File check_nrpe.c to make use of the cipher the command "openssl s_client" did in testconnection handshake.

//SSL_CTX_set_cipher_list(ctx,"ADH");
SSL_CTX_set_cipher_list(ctx,"DHE-RSA-AES256-GCM-SHA384");

and got a working setup:

unilab@sattelit01:~/nrpe_plugin/nrpe-2.15/src$ ./check_nrpe -H 10.100.1.21
I (0.4.3.143 2015-04-29) seem to be doing fine...

Question: I think there is a general need to reflect the "disable insecure ciphers in SSL libraries"
to the nrpe-client and server by using "secure" ciphers or making the choosing of used ciphers
more configureable.

Can this be done in upstream?

Best Regards,
Achim

[tmcnag]

We can handle the NRPE side, but NSClient++ is a third-party project that we have no control over.

In regards to NRPE, this has been addressed in at least the following PRs:

#20
#22
#26

and possibly elsewhere. @jfrickson and I are discussing this internally and will be taking action likely some time after the conference.

[grolms]

Thank you,
please let me know if you want me to do some testing-work.

[grolms]

Posted the Nsclient++ Part of the question to
https://forums.nsclient.org/t/nrpe-and-insecure-ssl-chiphers-dh512-bit-cause-failed-connection-on-ubuntu-linux-14/3859

[tmcnag]

Just a heads-up, @jfrickson sent me some literature to review regarding SSL and NRPE, so we're definitely still working on this!

[Alonso42]

Hi,

To be able to use ciphers more configureable I have added the new argument "-C" for ./check_nrpe.

/usr/lib/nagios/plugins/check_nrpe -H 10.10.0.155 -p 5666 -C DHE-RSA-AES256-GCM-SHA384
I (0.4.3.143 2015-04-29) seem to be doing fine...

This are the changes i have done.

sudo diff -u check_nrpe_original.c check_nrpe_fertig.c

--- check_nrpe_original.c       2015-11-06 13:10:04.148081438 +0100
+++ check_nrpe_fertig.c 2015-11-09 08:13:29.646154700 +0100
@@ -27,6 +27,7 @@
 u_short server_port=DEFAULT_SERVER_PORT;
 char *server_name=NULL;
 char *bind_address=NULL;
+char *cipher_list="DHE-RSA-AES256-GCM-SHA384";
 struct sockaddr_storage hostaddr;
 int address_family=AF_UNSPEC;
 char *command_name=NULL;
@@ -91,7 +92,7 @@

        if(result!=OK || show_help==TRUE){

-               printf("Usage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]\n");
+               printf("Usage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>] [-C <Chipher_List>]\n");
                printf("\n");
                printf("Options:\n");
                printf(" -n         = Do no use SSL\n");
@@ -100,6 +101,7 @@
                printf(" <bindaddr> = bind to local address\n");
                printf(" -4         = user ipv4 only\n");
                printf(" -6         = user ipv6 only\n");
+               printf(" -C         = Cipher List\n");
                printf(" [port]     = The port on which the daemon is running (default=%d)\n",DEFAULT_SERVER_PORT);
                printf(" [timeout]  = Number of seconds before connection times out (default=%d)\n",DEFAULT_SOCKET_TIMEOUT);
                printf(" [command]  = The name of the command that the remote daemon should run\n");
@@ -165,22 +167,24 @@
        /* do SSL handshake */
        if(result==STATE_OK && use_ssl==TRUE){
                if((ssl=SSL_new(ctx))!=NULL){
-                       SSL_CTX_set_cipher_list(ctx,"ADH");
-                       SSL_set_fd(ssl,sd);
-                       if((rc=SSL_connect(ssl))!=1){
-                               printf("CHECK_NRPE: Error - Could not complete SSL handshake.\n");
-#ifdef DEBUG
-                               printf("SSL_connect=%d\n",rc);
-                               /*
-                               rc=SSL_get_error(ssl,rc);
-                               printf("SSL_get_error=%d\n",rc);
-                               printf("ERR_get_error=%lu\n",ERR_get_error());
-                               printf("%s\n",ERR_error_string(rc,NULL));
-                               */
+                       if (SSL_CTX_set_cipher_list(ctx,cipher_list) == 1) {
+                               SSL_set_fd(ssl,sd);
+                                if((rc=SSL_connect(ssl))!=1){
+                                        printf("CHECK_NRPE: Error - Could not complete SSL handshake.\n");
+                                        printf("SSL_connect=%d\n",rc);
+                                        rc=SSL_get_error(ssl,rc);
+                                        printf("SSL_get_error=%d\n",rc);
+                                        printf("ERR_get_error=%lu\n",ERR_get_error());
+                                        printf("%s\n",ERR_error_string(rc,NULL));
+                                        ERR_print_errors_fp(stdout);
+                                        result=STATE_CRITICAL;
+                                        }
+                       }
+                        else {
                                ERR_print_errors_fp(stdout);
-#endif
-                               result=STATE_CRITICAL;
-                               }
+                                printf("SSL_CTX_set_cipher_list failed with cipher list <%s> \n",cipher_list);
+                                result=STATE_CRITICAL;
+                               }
                        }
                else{
                        printf("CHECK_NRPE: Error - Could not create SSL connection structure.\n");
@@ -347,6 +351,7 @@
                {"port", required_argument, 0, 'p'},
                {"help", no_argument, 0, 'h'},
                {"license", no_argument, 0, 'l'},
+               {"cipher", no_argument, 0, 'C'},
                {0, 0, 0, 0}
                 };
 #endif
@@ -355,7 +360,7 @@
        if(argc<2)
                return ERROR;

-       snprintf(optchars,MAX_INPUT_BUFFER,"H:b:c:a:t:p:nu46hl");
+       snprintf(optchars,MAX_INPUT_BUFFER,"H:b:c:a:t:p:C:nu46hl");

        while(1){
 #ifdef HAVE_GETOPT_LONG
@@ -395,6 +400,9 @@
                case 'H':
                        server_name=strdup(optarg);
                        break;
+                case 'C':
+                        cipher_list=strdup(optarg);
+                        break;
                case 'c':
                        command_name=strdup(optarg);
                        break;
@@ -488,4 +496,3 @@

        return OK;
        }
-

Best Regards,
Alonso

[jfrickson]

I have a complete and backward-compatible update for SSL/TLS in https://github.com/NagiosEnterprises/nrpe/tree/nrpe-2-16-RC2

Please read the README.SSL.md file.