nscp icon indicating copy to clipboard operation
nscp copied to clipboard

Published 20 hours ago verified publisher icon mickem

replace security/nrpe_dh_512.pem with 2048 bit

Open Schroeffu opened this issue 6 years ago • 17 comments

Issue and Steps to Reproduce

NSClient++ Diffie Hellmann Key is only 512 bit, please replace that with 2048 bit. ./check_nrpe is not working from newest nagios 4.4.3 with nrpe 3.2.1 towards NSClient++ version: 0.5.2.39

./check_nrpe -H MYHOST
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with MYHOST: 1

Expected Behavior

./check_nrpe -H MYHOST I (0.5.2.39 2018-02-04) seem to be doing fine...

Actual Behavior

./check_nrpe -H MYHOST CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with MYHOST

Details

  • NSClient++ version: 0.5.2.39
  • OS and Version: Windows Server 2012
  • Checking from: Nagios
  • Checking with: check_nrpe 3.2.1 on Ubuntu 18.04 with Nagios 4.4.3

Additional Details

NSClient++ log:

2019-01-22 15:18:47: error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: sslv3 alert handshake failure: 1040

Nagios Syslog:

Jan 22 15:18:48 check_nrpe: Error: (!log_opts) Could not complete SSL handshake with MYHOST: dh key too small

Schroeffu avatar Jan 22 '19 14:01 Schroeffu

I agree it should be replaced. I replaced the DH key manually and it solved the error but it took a lot of my time to figure it out.

Petr

petrolej avatar Jan 31 '19 08:01 petrolej

I'm also in favor for this! Also just manually replaced the 512bit key with a 2048bit key. Found it here: https://github.com/NagiosEnterprises/nrpe/issues/173#issuecomment-347477857

log1-c avatar Feb 14 '19 15:02 log1-c

i hit this problem, too.

the dh parameters can be generated with

openssl dhparam -C 2048

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA1a+J8bMJn4/nmGeEFKpNSsrduHXfoWnqhNukwcz+T/bqbwYsiZBD
FVu9h/uwoE6HF5GLICZ3T/cqAUPnfcGrymhDVCdGVYhYcZChV6HnVbngjZxrfqme
VPAnTr+Gn6IHFzBYuoFeSLB9Ie6lplwYkEOJc9dgSOebdNmyOodWwuyFIfEA27Ko
+4wjcRhHuz72QHiEiJuXTH85hJY/6vT6u0tJWy0GbAqCIRKvdoJK0KK74TkINttb
DygsuSZYR4q+XZrqM4YO9OEw+FbCMTJxiwEFWC/Y0nbjm2d9JWoH8r+KTlp4YSH8
ssqFvY1oB+EB6B9nMTvdEFm6APo8mxP0gwIBAg==
-----END DH PARAMETERS-----

in the config it needs to be set, too:

[/settings/NRPE/server]
dh = ${certificate-path}/nrpe_dh_2048.pem

abma avatar Mar 21 '19 15:03 abma

Same here! I tried the procedure provided by @abma and it worked quite well.

A good solution would be either to generate 2048bit DH keys during installation/upgrade or to make it configurable (check box e.g.) during the setup process.

stephanhendl avatar Mar 25 '19 11:03 stephanhendl

Sounds like good option to use a generated key... I already generate some certs for https so doing the same for the key sounds good...

mickem avatar Nov 06 '19 10:11 mickem

I have NSCP 0.5.2.39 (NSclient) windows 10 installed, On ubuntu 18 Nagios 4.4.2 NRPE 3.2.1, running ./check_nrpe -h client ip with result from server **"CHECK_NRPE: (ssl_err! = 5) Error - Could not complete SSL handshake with "**and client "error: c: \ source \ 0.5.1 \ include \ socket / connection.hpp: 276: Failed to establish secure connection: sslv3 alert handshake failure: 1040 ", error corrected by generating a 2048 DH key on the client side with the following command #openssl dhparam -C 2048 and adding the following line in the configuration file NSclient.ini ; DH KEY - dh = $ {certificate-path} /nrpe_dh_2048.pem which refers to the key generated with the above command, but now I have new error from server side: CHECK_NRPE: Error - Could not connect to 192.168.0.25. Check system logs on 192.168.0.25 and if we look at the log in the client, the following line appears for each attempt: 2020-03-26 07:37:49: error: c: \ source \ master \ include \ socket / connection.hpp: 276: Failed to establish secure connection: peer did not return a certificate: 199

Any suggestion

Pablo1816 avatar Mar 26 '20 11:03 Pablo1816

I followed the same procedure from abma to replace the dh_512 with dh_2048, and made progress, but got the same error as Pablo1816. 2020-10-28 09:11:34: error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: peer did not return a certificate: 199 Has anyone made progress on this? Using NRPE Plugin for Nagios (check_nrpe) version 4.0.0 on Ubuntu 20.04

n0dyjeff avatar Oct 28 '20 16:10 n0dyjeff

do you have a valid certificate / private key in ${certificate-path}?

maybe http://blog.medin.name/blog/2012/12/02/securing-nrpe-with-certificate-based-authentication/ helps, the used ciphers are very likely outdated.

abma avatar Oct 28 '20 16:10 abma

@abma Thanks for the quick response. It gave me the clue I needed to make some progress. The issue was that NSClient++ was asking for a certificate from the NRPE client, even though when installing NSClient++ I specified no certificate verification. Changed the following in nsclient.ini to stop asking for a cert:

;verify mode = peer-cert
verify mode = none

Now I'm able to communicate, but have a new issue that I'm trying to figure out.

./check_nrpe -H 192.168.1.161
CHECK_NRPE: Invalid packet version received from server.
I (0.5.2.35 2018-01-28) seem to be doing fine...

UPDATE: I was able to fix the invalid packet version by changing to version 2 packets:

jeff@neptune:/usr/lib/nagios/plugins$ ./check_nrpe -H 192.168.1.161 -2
I (0.5.2.35 2018-01-28) seem to be doing fine...

Question: Should I be using 0.5.2.35? I see that there's a stable build 0.5.2.39 and some later nightly builds, but nothing very recent. Do I need to build from github sources to get support for later version packets?

n0dyjeff avatar Oct 28 '20 17:10 n0dyjeff

Hello👋

I'm getting the same error Error:(!log_opts) Could not complete SSL handshake with Ip. : DH key too small

Server was Nagios Core - 4.1.0 installed on Oracle Linux and try to connect to Solaris 11.4 machine and nrpe agent was v2.15

Need your help to resolve

Thank you

sswaroop84 avatar Oct 17 '22 10:10 sswaroop84

@sswaroop84: look at #606, you have to replace security/nrpe_dh_512.pem with 2048 bit

abma avatar Oct 17 '22 11:10 abma

Hi Abma

At the client server is it?

If you have a moment, could you please guide me where to place the file and how to generate

Below is the link I followed to install the agent in Solaris

https://nagios.force.com/support/s/article/Installing-the-Solaris-Agent-d64cdee5

sswaroop84 avatar Oct 17 '22 11:10 sswaroop84

@sswaroop84 you can use https://www.claudiokuenzler.com/blog/1115/check_nrpe-4.x-nsclient-5.x-ssl-error-could-not-complete-ssl-handshake as a guide

Napsty avatar Oct 17 '22 12:10 Napsty

Thanks Napsty

It shows the command to generate 2048 keys but remaining was all Windows 😐, But my clients are Solaris 11.4

sswaroop84 avatar Oct 17 '22 12:10 sswaroop84

@sswaroop84 https://nagios.force.com/support/s/article/Monitoring-Solaris-e9292259 "NRPE on Solaris is deprecated. You should use the NCPA agent unless you are using a legacy NRPE install." -> https://www.nagios.org/ncpa/#downloads

abma avatar Oct 17 '22 13:10 abma

Noted Abma I will try and update you👍

sswaroop84 avatar Oct 17 '22 14:10 sswaroop84

@abma solution worked fine for us. Thank you.

Carlos-Byte-Sys avatar May 05 '23 10:05 Carlos-Byte-Sys