By using NSClient++ with Signed SSL Certificates and strong encryption, you can guard your monitoring traffic against eavesdroppers. If you are using NSClient++ to send data to your monitoring system and you care about the security of your network, by all means, make sure you use strong encryption like TLS 1.2 (not Anonymous Diffie-Helman!) and signed SSL certificates. With Anonymous Diffie-Hellman, the keys used in the exchange are not authenticated so the the protocol is susceptible to Man-in-the-Middle attacks.(1)

Tip: Be sure that you remove the “security\nrpe_dh_512.pem”, if it exists. If you don’t, you will experience some strange problems. The NRPEServer module will fail to load, and you will not be able to connect to it using SSL. By removing the “nrpe_dh_512.pem” file, the NSClient++ with signed certificate works.

Assuming the NSClient is running on port 5555, You can test that your NSClient agent is running a signed cert with the “openssl s_client” command, something like this:

openssl s_client -connect nsclient.lab.rexconsulting.net:5555

If you see anything else besides “Verify return code: 0 (ok)”, that means that something in your configuration is broken.

Don’t be lazy and accept Anonymous Diffie-Helman protocol on your network, since it is a very weak form of encryption. Fortify your network by adding strong encryption with signed SSL certificates today!

1. https://wiki.openssl.org/index.php/Diffie_Hellman

© Copyright 2020 Rex Consulting, Inc. – All rights reserved