NRPE does not support ECDHE when using openssl 1.0.1e

[teridon]

When the system library is openssl-1.0.1e, NRPE does not support ECDHE key exchange, despite that openssl 1.0.1e is capable of it.

With this config (nrpe 3.2.1):

# grep ^ssl /etc/nagios/nrpe.cfg
ssl_version=TLSv1.2+
ssl_cipher_list=EECDH+AESGCM
ssl_cacert_file=/etc/nagios/ssl/ca-chain.cert.pem
ssl_cert_file=/etc/nagios/ssl/nrpe.crt
ssl_privatekey_file=/etc/nagios/ssl/nrpe.key
ssl_logging=0x01

The supported cipher list should be:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

However, in actuality NO ciphers are supported with this configuration.

If one installs openssl 1.1+, NRPE offers ciphers with ECDHE.

see also this forum topic

[hedenface]

The check for SSL versions was a quick fix when all the seclevel stuff was happening to a wide range of people, just to get a fix out. The intention is to go back and actually check for the existence of certain capabilities and adjust from there.

[teridon]

Thanks for the background info. I'd like to add that upcoming changes to NIST 800-52r2 (still in DRAFT) will effectively make ECDHE/EECDH a requirement for TLS services on U.S. Federal systems.