Bug 27358

Summary: nrpe connection from nagios doesnt work after last updates with crypto-policies
Product: Mageia Reporter: Dieter Schütze <dieter>
Component: RPM PackagesAssignee: Daniel Lucio <luis.daniel.lucio>
Status: RESOLVED OLD QA Contact:
Severity: normal    
Priority: Normal CC: jani.valimaa, ouaurelien, thierry.vignaud
Version: 7Keywords: Triaged
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nrpe-3.2.1-3.2.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 27359    
Bug Blocks:    

Description Dieter Schütze 2020-10-04 16:54:36 CEST 
Description of problem:
after update to the new crypto-policies nagios couldn't connect to the nrpe client.Error - Could not complete SSL handshake wich result in massive alerts from nagios.

Version-Release number of selected component (if applicable):
nrpe-3.2.1-3.2.mga7
nagios-check_nrpe-3.2.1-3.2.mga7

How reproducible:
after install crypto-policies

Steps to Reproduce:
1. install crypto-policies
2. restart
3. and see the errors on nagios frontend or with journalctl -af

the only chance to get the old nrpe running is to make the crypto-policies unsecure. I described that here: 
https://bugs.mageia.org/show_bug.cgi?id=27343#c11

and of course it is clesr why this doesnt work anymore. NRPE v3.2.1 is to old (from 2017) and can't work with @SECLEVEL=1 wich is the default on the new crypto-policies. You have to set the @SECLEVEL=0 You can read this in /etc/nagios/nrpe.cfg
---------------------------------------------------------------
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
# greater. 

#ssl_cipher_list=ALL:!MD5:@STRENGTH
#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
--------------------------------------------------------------------
to test this make crypto-policies more unsecure described above
install nrpe and check_nrpe with 
urpmi nrpe nagios-check_nrpe
start nrpe daemon with systemctl start nrpe

ask the Version of nrpe with check_nrpe and the SECLEVEL=1
/usr/lib64/nagios/plugins/check_nrpe -S TLSv1.2 -L "ALL:@STRENGTH:@SECLEVEL=1" -H 127.0.0.1
you got
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1

ask the Version of nrpe with check_nrpe and the SECLEVEL=0
/usr/lib64/nagios/plugins/check_nrpe -S TLSv1.2 -L "ALL:@STRENGTH:@SECLEVEL=0" -H 127.0.0.1
you got
NRPE v3.2.1
Dieter Schütze 2020-10-04 17:04:51 CEST

Version: Cauldron => 7

Comment 1 Jani Välimaa 2020-10-04 20:48:24 CEST 
Try this:

1. Install rpm-helper and change KEY_LENGTH to 4096 in /etc/sysconfig/ssl.

2. Run '/usr/share/rpm-helper/create-ssl-certificate nrpe 1 nagios -g nagios' as root.

3. Change nrpe to use created certs in /etc/nagios/nrpe.cfg:
ssl_cert_file=/etc/pki/tls/certs/nagios.pem
ssl_privatekey_file=/etc/pki/tls/private/nagios.pem

4. Restart nrpe
Comment 2 Dieter Schütze 2020-10-04 23:56:04 CEST 
(In reply to Jani Välimaa from comment #1)
> Try this:
> 
> 1. Install rpm-helper and change KEY_LENGTH to 4096 in /etc/sysconfig/ssl.
> 
> 2. Run '/usr/share/rpm-helper/create-ssl-certificate nrpe 1 nagios -g
> nagios' as root.
> 
> 3. Change nrpe to use created certs in /etc/nagios/nrpe.cfg:
> ssl_cert_file=/etc/pki/tls/certs/nagios.pem
> ssl_privatekey_file=/etc/pki/tls/private/nagios.pem
> 
> 4. Restart nrpe

Thank you, this works on my test environment.
But a question for my understanding, why i have to expand the key lenght ?
if you look at /etc/crypto-policies/state/CURRENT.po the lenght of 2048 is enough.
Comment 3 Thierry Vignaud 2020-10-05 09:52:52 CEST 
See Bug #27359

CC: (none) => thierry.vignaud

Aurelien Oudelet 2020-10-05 15:57:51 CEST

Depends on: (none) => 27359
CC: (none) => ouaurelien

Comment 4 Aurelien Oudelet 2020-10-05 16:02:00 CEST 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

No update required. 27259 blocks this.

Will close this after 27259 will be fixed.

Keywords: (none) => Triaged
Status comment: (none) => No update required. 27259 blocks this.
Assignee: bugsquad => luis.daniel.lucio
Severity: major => normal

Comment 5 Jani Välimaa 2020-10-05 17:33:48 CEST 
(In reply to Dieter Schütze from comment #2)
> (In reply to Jani Välimaa from comment #1)
> > Try this:
> > 
> > 1. Install rpm-helper and change KEY_LENGTH to 4096 in /etc/sysconfig/ssl.
> > 
> > 2. Run '/usr/share/rpm-helper/create-ssl-certificate nrpe 1 nagios -g
> > nagios' as root.
> > 
> > 3. Change nrpe to use created certs in /etc/nagios/nrpe.cfg:
> > ssl_cert_file=/etc/pki/tls/certs/nagios.pem
> > ssl_privatekey_file=/etc/pki/tls/private/nagios.pem
> > 
> > 4. Restart nrpe
> 
> Thank you, this works on my test environment.
> But a question for my understanding, why i have to expand the key lenght ?
> if you look at /etc/crypto-policies/state/CURRENT.po the lenght of 2048 is
> enough.

Can you also try the same with KEY_LENGTH=2048?

It might be that there is something else happening with nrpe and how it is working if certs are not used/configured.

CC: (none) => jani.valimaa

Comment 6 Dieter Schütze 2020-10-05 20:16:34 CEST 
(In reply to Jani Välimaa from comment #5)
> (In reply to Dieter Schütze from comment #2)
> 
> Can you also try the same with KEY_LENGTH=2048?
> 
> It might be that there is something else happening with nrpe and how it is
> working if certs are not used/configured.

With the given certificate, nrpe is forced to use an ssl connection with a given key length.
this gives you the opportunity to adapt it to the crypto policies.

Thank you
Also works in the production environment, tested today.
Comment 7 Dieter Schütze 2020-10-05 20:18:53 CEST 
I also used the 4096 long key. That makes sense for stricter regulations in the future.
Comment 8 Jani Välimaa 2020-10-06 06:37:45 CEST 
(In reply to Aurelien Oudelet from comment #4)
> Hi, thanks for reporting this bug.
> Assigned to the package maintainer.
> 
> No update required. 27259 blocks this.
> 
> Will close this after 27259 will be fixed.

Fixing bug 27259 doesn't fix the issue automatic.

nrpe needs to be also configured/patched to use SSL cert and private key as it doesn't do it by default.

Status comment: No update required. 27259 blocks this. => (none)

Comment 9 Jani Välimaa 2020-10-06 06:39:32 CEST 
(In reply to Jani Välimaa from comment #8)
> (In reply to Aurelien Oudelet from comment #4)
> > Hi, thanks for reporting this bug.
> > Assigned to the package maintainer.
> > 
> > No update required. 27259 blocks this.
> > 
> > Will close this after 27259 will be fixed.
> 
> Fixing bug 27359 doesn't fix the issue automatic.
> 
> nrpe needs to be also configured/patched to use SSL cert and private key as
> it doesn't do it by default.

It's bug 27359 and not 27259.
Comment 10 Aurelien Oudelet 2021-07-06 13:15:06 CEST 
Mageia 7 is EOL since July 1st 2021.
There will not have any further bugfix for this release.

You are encouraged to upgrade to Mageia 8 as soon as possible.

@reporter, if this bug still apply with Mageia 8, please let us know it.

@packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead.

This bug report will be closed OLD if there is no further notice within 1st September 2021.
Comment 11 Marja Van Waes 2021-09-07 14:11:15 CEST 
Hi bug reporter and hi assignee and others involved,

Please reopen this bug report if it is still valid for Mageia 8 or 9(cauldron), and change "Version:" in the upper left of this report accordingly.

This report is being closed as OLD because it was filed against Mageia 7, for which  support ended on June 30th 2021.

Thanks,
Marja

Resolution: (none) => OLD
Status: NEW => RESOLVED