Closed alexgit2k closed 7 months ago
Hi, I have the same question and I opened a discussion today https://github.com/mickem/nscp/discussions/815
Is there a switch to disable also TLSv1,1 and keep/use just TLSv1.2 ?
Thanks
I searched the whole code, but NSClient++ can only disable SSL 2, 3 and TLS 1.0.
However, I discovered SNClient+ which is a drop-in-replacement and is able to set the minimal-version of TLS up to TLS 1.3 (https://omd.consol.de/docs/snclient/security/#tls-13).
This will be in the next nightly build (out in later today or tomorrow)
Hi there, any news about this topic? Our customers are pressing us, regarding that "security issue" as they see the problem. And they're asking us to change client, but I said them to wait....
Let me know please. Thanks
@louwar I created a rule in the windows-firewall which blocks incoming requests:
Local connections on the machine are still possible.
Another way would be to set "allowed hosts" to 127.0.0.1, but this requires NSClient++ 0.5.3 and we are using an older version.
You can find latest build here: https://github.com/mickem/nscp/actions/runs/6797913278 I still have some issues with the NRPE test before I can merge this...
Please test above and let me know if it resolves the ieeus. In essence the https://nsclient.org/docs/reference/client/NRPEServer/#verify-mode option now has new keys no-tlsv1_2
and no-tlsv1_3
So setting (should disable all older tls modes):
[/settings/NRPE/server]
ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_2,no-tlsv1_3
Hello.It's not that easy.The problem is not on the TCP port 8443.The problem is on TCP port 5666 which responds with SSL/TLS.It may not be a problem for us, but it is for our customers when they run their vulnerability tests and notice that their servers (Windows and Linux) respond on TCP port 5666 with SSLv2 SSLv3 TLS1 and TLS1.1 On Linux, where NRPE runs, we solved it by setting the ssl_version=TLSv1.2+ option which prevents the use of old protocols and responds only to TLS1.2 and above.With NSClient++ we can disable up to TLS1 but not TLS1.1.And it is not acceptable from our customer.We have lots of server to manage, from different customers, it is not simple to change globally firewall rules, etc. Thanks & Regards
Il Mar, 7 Nov, 2023 alle 19:58, @.***> ha scritto:
@louwar I created a rule in the windows-firewall which blocks incoming requests:
Local connections on the machine are still possible.
Another way would be to set "allowed hosts" to 127.0.0.1, but this requires NSClient++ 0.5.3 and we are using an older version.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
These options are for the NRPE port and will allow you to disable TLS version above 1.0. But reading it again I realized I had missed disabling 1.1 so only added options for 1.2 and 1.3 I will add 1.1. now and thus the next build will have support for that as well.
I will post an update with a link when that is built...
@mickem would like to ask when is the new bulid will be publish
Unless something happens later today we will have new builds... They lack Lua and dot net as well as we ui bu apart from that everything should be working....
You can find the release here: https://github.com/mickem/nscp/releases/tag/0.6.0.0 It is marked as pre release due to missing features mentioned, and please do let me know any issue you experience... There is a lot of changes in thies version so some bugs are expected.
You can find the release here: https://github.com/mickem/nscp/releases/tag/0.6.0.0 It is marked as pre release due to mising features mentions
Hi @mickem after install the above release 0.6.0.0 we encounter error as below
2023-11-22 19:52:15: error:D:\a\nscp\nscp\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher (SSL routines, tls_post_process_client_hello)
2023-11-22 19:52:15: error:D:\a\nscp\nscp\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.
below are current nsclient config
[/settings/NRPE/server]
allow arguments = true
allow nasty characters = true
port = 5666
payload length = 1024
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:!3DES:!IDEA:@STRENGTH
ssl = true
ssl options = no-sslv3,no-sslv2,no-tlsv1,no-tlsv1_1
dh = ${certificate-path}/nrpe_dh_2048.pem
[/settings/external scripts]
allow arguments = true
allow nasty characters = true
script path =
timeout = 50
[/settings/default]
; ALLOWED CIPHERS - A better value is: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:!3DES:!IDEA:@STRENGTH
allowed hosts = 127.0.0.1
cache allowed hosts = true
certificate =
timeout = 50
use ssl = true
ssl options = no-sslv3,no-sslv2,no-tlsv1,no-tlsv1_1
verify mode = none
debug = false
insecure = false
What are you useing on the remote end to check this? I.e. whats the command/config of the NRPE setup on the "other side"?
HI @mickem we are using RHEL 8.7 as remote monitoring server Nagios XI version 5.11.2
when i execute command check nrpe, below are the output
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with xx.xx.xx.xx: 1
Try setting
[/settings/NRPE/server]
allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0
@mickem able to server the issue thank you for your assistance
Hi @mickem with this option
ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1
we blocked also TLS1.2 and TLS1.3 (still not implemented but....) and it should not be.
Why? The goal is the ability to specify which protocol we want to use and in this moment, we should still use TLS1.2
Thanks
Not really sure what -S does, my check_nrpe has no such option.
When I run testssl.sh with the following config:
[/modules]
NRPEServer = enabled
[/settings/NRPE/server]
allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0
insecure = true
ssl = true
ssl options = no-sslv3,no-sslv2,no-tlsv1,no-tlsv1_1
I get:
There was issue with connection, now is good, but still I have similar output with "check_nrpe" from a collector server on Linux machine
check_nrpe -h (the -S flag)
I just have these options
[/settings/NRPE/server] allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0 ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1
Sorry, I also had -S (just had a typo), and for me this also works...
Using:
[/modules]
NRPEServer = enabled
[/settings/NRPE/server]
allowed ciphers = ALL:!MD5:@strength:@SECLEVEL=0
ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1
[/settings/default]
allowed hosts = 172.17.251.17/20
Which version of NSClient++ do you have?
Also make sure there are no firewalls or other security tools preventing the call.
// Michael Medin
Now it works fine
Thank you very much for the support
Great
Issue and Steps to Reproduce
It is possible to disable SSL 2, 3, TLS 1.0 via
ssl options
: https://github.com/mickem/nscp/blob/a0bf0985471d8956409079515c5199a0b0b84fa4/docs/docs/reference/windows/NSClientServer.md?plain=1#L704-L712As TLS 1.1 has been deprecated since 2021 (see https://datatracker.ietf.org/doc/html/rfc8996) there should be also a switch to disable TLS 1.1.
Expected Behavior
Tell us what you think should happen.
Actual Behavior
Tell us what happens instead.
Details
Additional Details
NSClient++ log: