Feature Request - Add AES Support in NSCA #5

Open
ludmilmm opened this Issue Apr 28, 2016 · 3 comments

Comments

Projects
None yet
4 participants
@ludmilmm

ludmilmm commented Apr 28, 2016

When you use NSCA with NSClient++ only the AES-128 works properly. See the example below:

In the nsclient.ini on the Windows server:

`; ENCRYPTION - Name of encryption algorithm to use. Has to be the same as your server i using or it wont work at all.This is also independent of SSL and generally used instead of SSL. Available encryption algorithms are: none = No Encryption (not safe) xor = XOR des = DES 3des = DES-EDE3 cast128 = CAST-128 xtea = XTEA blowfish = Blowfish twofish = Twofish rc2 = RC2 aes128 = AES aes192 = AES aes = AES serpent = Serpent gost = GOST

encryption = AES`

In the nsca.cfg on the Nagios XI box:

#0 = None (Do NOT use this option)
#1 = Simple XOR (No security, just obfuscation, but very fast)
#
#2 = DES
#3 = 3DES (Triple DES)
#4 = CAST-128
#5 = CAST-256
#6 = xTEA
#7 = 3WAY
#8 = BLOWFISH
#9 = TWOFISH
#10 = LOKI97
#11 = RC2
#12 = ARCFOUR
#
#14 = RIJNDAEL-128
#15 = RIJNDAEL-192
#16 = RIJNDAEL-256
#
#19 = WAKE
#20 = SERPENT
#
#22 = ENIGMA (Unix crypt)
#23 = GOST
#24 = SAFER64
#25 = SAFER128
#26 = SAFER+
#

decryption_method=14

The above scenario works. If however, you use option 15 or 16 (RIJNDAEL-192 or RIJNDAEL-256), the passive check results are not being received, and you can see errors in the "/var/log/messages" similar to this one:
Apr 28 10:10:09 localhost nsca[10945]: Received invalid packet type/version from client - possibly due to client using wrong password or crypto algorithm?

According to a Nagios XI user on the Nagios Support forum, the issue is in fact this:

AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.

AES-192 and AES-256 support needs to be added to NSCA so that it can be used with NSClient++.

@jfrickson jfrickson self-assigned this Oct 31, 2016

@jfrickson

This comment has been minimized.

Show comment
Hide comment
@jfrickson

jfrickson Mar 14, 2017

Contributor

Shouldn't be difficult. Will be getting to this soon.

Contributor

jfrickson commented Mar 14, 2017

Shouldn't be difficult. Will be getting to this soon.

@willemdh

This comment has been minimized.

Show comment
Hide comment
@willemdh

willemdh May 31, 2017

Looking forward to seeing this fixed. :+1

Stronger encryption like aes is really a minimal required encryption these days. It's also confusing, as the NSClient++ 's documentation suggest using aes, while this in fact doesn't work with Nagios's current NSCA implementation.

https://docs.nsclient.org/reference/client/NSCAClient/

image

Looking forward to seeing this fixed. :+1

Stronger encryption like aes is really a minimal required encryption these days. It's also confusing, as the NSClient++ 's documentation suggest using aes, while this in fact doesn't work with Nagios's current NSCA implementation.

https://docs.nsclient.org/reference/client/NSCAClient/

image

@hedenface hedenface assigned hedenface and unassigned jfrickson Jun 17, 2017

@hedenface

This comment has been minimized.

Show comment
Hide comment
@hedenface

hedenface Jun 17, 2017

Member

It shouldn't be difficult, but needs to be discussed in our internal open source dev meeting regardless. We'll bring it up at the next one!

Member

hedenface commented Jun 17, 2017

It shouldn't be difficult, but needs to be discussed in our internal open source dev meeting regardless. We'll bring it up at the next one!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment