Enabling SSL


#1

I had NRPE working without SSL; now I’m trying to configure SSL so that traffic between NSClient++ and my Nagios server is encrypted. I created a self-signed certificate and private key and put them in NSClient++\security and added the following to nsclient.ini:

  
[/settings/default]  
use ssl = 1  
certificate key = ${certificate-path}/privkey.pem  
certificate = ${certificate-path}/cacert.pem  

However, when I run check_nrpe from my Nagios host and view the traffic with Wireshark, it is unencrypted. Also, when I run NSClient++ in test mode, there is no output related to SSL, so it seems like it’s not even enabled. What am I doing wrong?


#2

You also need allowed ciphers:
{{{
[/settings/default]
allowed ciphers?ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
}}}

Or it will fallback to ADH (which is technically ssl but not certificate based).

You also want to set verify mode dependin on how you want the certificates to be verified.

Check thisd out for details: http://blog.medin.name/blog/2012/12/02/securing-nrpe-with-certificate-based-authentication/


#3

Since the [http://nsclient.org/nscp/wiki/doc/configuration/0.4.x#ALLOWEDCIPHERS documentation] lists that as the default value for allowed ciphers I assumed I could leave it out. I guess the documentation needs updating.

When I add allowed ciphers I finally get some evidence that NSClient++ is using SSL:

{{{
$ check_nrpe -H
CHECK_NRPE: Error - Could not complete SSL handshake.
}}}

And NSClient++ outputs

{{{
Failed to establish secure connection: no shared cipher
}}}

Okay, that makes sense…I never told NRPE what ciphers it could use. I can’t find anything about it in the NRPE documentation, but based on [http://sourceforge.net/mailarchive/message.php?msg_id=21916402 this thread] from the nagios-users mailing list, it seems like NRPE doesn’t use certificates.
I can’t tell if NRPE uses ADH or if it’s possible to change the cipher. And since I’m not using NSClient++ on my Nagios server, I can’t figure out how to apply that blog post to my particular setup. Perhaps I’m asking in the wrong place.


#4

After additional research, I found that NRPE does indeed use ADH. There is a [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547092 lengthy discussion] about it on the Debian Nagios maintainers group.

Somebody submitted a [http://tracker.nagios.org/view.php?id=125 patch] that adds full SSL certificate authentication to NRPE, but it has yet to be incorporated into the official release. I will either apply that patch or use something like [https://www.stunnel.org/index.html stunnel]. Thanks for your help.


#5

NSClient++ supports full proper SSL support but that requires you to have NSClient++ on both ends or it wont work.

The default is due to compatiblity with check_nrpe it is possible this wil lchange in future version once we have proper packages for Linux for NSClient++

// Michael Medin


#6

So it is not possible to run check_nrpe plugin with ssl support on the nagios server and nsclient++ with “use ssl = 1” and “insecure = false” on the windows machine?