Option for disabling deprecated TLS 1.1

[alexgit2k]

Issue and Steps to Reproduce

It is possible to disable SSL 2, 3, TLS 1.0 via ssl options: https://github.com/mickem/nscp/blob/a0bf0985471d8956409079515c5199a0b0b84fa4/docs/docs/reference/windows/NSClientServer.md?plain=1#L704-L712

As TLS 1.1 has been deprecated since 2021 (see https://datatracker.ietf.org/doc/html/rfc8996) there should be also a switch to disable TLS 1.1.

PLEASE PROVIDE COMMAND HERE

Expected Behavior

Tell us what you think should happen.

Actual Behavior

Tell us what happens instead.

Details

• NSClient++ version: 0.5.2
• OS and Version: Windows Server 2012
• Checking from: Centreon, Icinga, OP5, ...
• Checking with: check_nrpe, check_nt, ...

Additional Details

NSClient++ log:

PLEASE PASTE LOG HERE

[louwar]

Hi, I have the same question and I opened a discussion today https://github.com/mickem/nscp/discussions/815

Is there a switch to disable also TLSv1,1 and keep/use just TLSv1.2 ?

Thanks

[alexgit2k]

I searched the whole code, but NSClient++ can only disable SSL 2, 3 and TLS 1.0.

However, I discovered SNClient+ which is a drop-in-replacement and is able to set the minimal-version of TLS up to TLS 1.3 (https://omd.consol.de/docs/snclient/security/#tls-13).

[mickem]

This will be in the next nightly build (out in later today or tomorrow)

[louwar]

Hi there, any news about this topic? Our customers are pressing us, regarding that "security issue" as they see the problem. And they're asking us to change client, but I said them to wait....

Let me know please. Thanks

[alexgit2k]

@louwar I created a rule in the windows-firewall which blocks incoming requests:

• Rule type: Port
• Protocols and ports: TCP, 8443
• Action: Block connection
• Profile: All
• Name: NSClient++ web interface

Local connections on the machine are still possible.

Another way would be to set "allowed hosts" to 127.0.0.1, but this requires NSClient++ 0.5.3 and we are using an older version.

[mickem]

You can find latest build here: https://github.com/mickem/nscp/actions/runs/6797913278 I still have some issues with the NRPE test before I can merge this...

Please test above and let me know if it resolves the ieeus. In essence the https://nsclient.org/docs/reference/client/NRPEServer/#verify-mode option now has new keys no-tlsv1_2 and no-tlsv1_3

So setting (should disable all older tls modes):

[/settings/NRPE/server]
ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_2,no-tlsv1_3

[louwar]

Hello.It's not that easy.The problem is not on the TCP port 8443.The problem is on TCP port 5666 which responds with SSL/TLS.It may not be a problem for us, but it is for our customers when they run their vulnerability tests and notice that their servers (Windows and Linux) respond on TCP port 5666 with SSLv2 SSLv3 TLS1 and TLS1.1 On Linux, where NRPE runs, we solved it by setting the ssl_version=TLSv1.2+ option which prevents the use of old protocols and responds only to TLS1.2 and above.With NSClient++ we can disable up to TLS1 but not TLS1.1.And it is not acceptable from our customer.We have lots of server to manage, from different customers, it is not simple to change globally firewall rules, etc. Thanks & Regards

Il Mar, 7 Nov, 2023 alle 19:58, @.***> ha scritto:

@louwar I created a rule in the windows-firewall which blocks incoming requests:

• Rule type: Port
• Protocols and ports: TCP, 8443
• Action: Block connection
• Profile: All
• Name: NSClient++ web interface

Local connections on the machine are still possible.

Another way would be to set "allowed hosts" to 127.0.0.1, but this requires NSClient++ 0.5.3 and we are using an older version.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[mickem]

These options are for the NRPE port and will allow you to disable TLS version above 1.0. But reading it again I realized I had missed disabling 1.1 so only added options for 1.2 and 1.3 I will add 1.1. now and thus the next build will have support for that as well.

I will post an update with a link when that is built...

[mrunknownpbu]

@mickem would like to ask when is the new bulid will be publish

[mickem]

Unless something happens later today we will have new builds... They lack Lua and dot net as well as we ui bu apart from that everything should be working....

[mickem]

You can find the release here: https://github.com/mickem/nscp/releases/tag/0.6.0.0 It is marked as pre release due to missing features mentioned, and please do let me know any issue you experience... There is a lot of changes in thies version so some bugs are expected.

[mickem]

You can find the release here: https://github.com/mickem/nscp/releases/tag/0.6.0.0 It is marked as pre release due to mising features mentions

[mrunknownpbu]

Hi @mickem after install the above release 0.6.0.0 we encounter error as below

2023-11-22 19:52:15: error:D:\a\nscp\nscp\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher (SSL routines, tls_post_process_client_hello)
2023-11-22 19:52:15: error:D:\a\nscp\nscp\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

below are current nsclient config

[/settings/NRPE/server]
allow arguments = true
allow nasty characters = true
port = 5666
payload length = 1024
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:!3DES:!IDEA:@STRENGTH
ssl = true
ssl options = no-sslv3,no-sslv2,no-tlsv1,no-tlsv1_1
dh = ${certificate-path}/nrpe_dh_2048.pem

[/settings/external scripts]
allow arguments = true
allow nasty characters = true
script path = 
timeout = 50

[/settings/default]
; ALLOWED CIPHERS - A better value is: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:!3DES:!IDEA:@STRENGTH
allowed hosts = 127.0.0.1

cache allowed hosts = true
certificate = 
timeout = 50
use ssl = true
ssl options = no-sslv3,no-sslv2,no-tlsv1,no-tlsv1_1
verify mode = none
debug = false
insecure = false

[mickem]

What are you useing on the remote end to check this? I.e. whats the command/config of the NRPE setup on the "other side"?

[mrunknownpbu]

HI @mickem we are using RHEL 8.7 as remote monitoring server Nagios XI version 5.11.2

when i execute command check nrpe, below are the output CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with xx.xx.xx.xx: 1

[mickem]

Try setting

[/settings/NRPE/server]

allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0

[mrunknownpbu]

@mickem able to server the issue thank you for your assistance

[louwar]

Hi @mickem with this option

ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1

we blocked also TLS1.2 and TLS1.3 (still not implemented but....) and it should not be.

Why? The goal is the ability to specify which protocol we want to use and in this moment, we should still use TLS1.2

Thanks

[mickem]

Not really sure what -S does, my check_nrpe has no such option.

When I run testssl.sh with the following config:

[/modules]
NRPEServer = enabled
[/settings/NRPE/server]
allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0
insecure = true
ssl = true
ssl options = no-sslv3,no-sslv2,no-tlsv1,no-tlsv1_1

I get:

[louwar]

There was issue with connection, now is good, but still I have similar output with "check_nrpe" from a collector server on Linux machine

check_nrpe -h (the -S flag)

I just have these options

[/settings/NRPE/server] allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0 ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1

[louwar]

[mickem]

Sorry, I also had -S (just had a typo), and for me this also works...

Using:

[/modules]
NRPEServer = enabled

[/settings/NRPE/server]
allowed ciphers = ALL:!MD5:@strength:@SECLEVEL=0
ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1

[/settings/default]
allowed hosts = 172.17.251.17/20

Which version of NSClient++ do you have?

Also make sure there are no firewalls or other security tools preventing the call.

// Michael Medin

[louwar]

Now it works fine

Thank you very much for the support

[mickem]

Great