0

I'm trying to connect nagstamon 3.8 to old nagios server 3.2.2.
When i trying to connect i get error

'[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:997)'

Two years above i haved the same problem. But then i find solution: Ubuntu 20.04 - how to set lower SSL security level?

Official release notes says "SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0, except when RSA key exchange without SHA1 is used"

Now editing /etc/ssl/openssl.cnf don't have result. openssl.cnf looks like that:

openssl_conf = openssl_init

[openssl_init] providers = provider_sect ssl_conf = ssl_sect

[provider_sect] default = default_sect legacy = legacy_sect

[default_sect] activate = 1

[legacy_sect] activate = 1

[ssl_sect] system_default = system_default_sect

[system_default_sect] CipherString = ALL:@SECLEVEL=0

Output from openssl ciphers -s -v -tls1 looks the same in my ubuntu 20.04 and 22.04 but in 20.04 all works fine unlike 22.04.

How do i can enable TLSv1 support for nagstamon or any other application in ubuntu 22.04?

  • Lowering the security settings on your client is never the way to go. Nagstamon connects to Nagios over HTTP, and since Nagios does not have its own webserver, most likely this means Apache or something else is serving HTTPS. You should re-configure Apache on the Nagios system to support a more secure configuration. – pzkpfw Nov 20 '22 at 19:17

1 Answers1

0

Same issue here, the thing is TLSv1 standar for encryption was found insecure, so OpenSSL had to eliminate it from the software. I'm afraid TLSv1 is gone for good.

So after three hours of trying to reconfigure OpenSSL 3.0.2 un Ubuntu 22.04, I took a deep breath and I thought "you must think out of the box", so I came with an alternative solution.

MySoftware in TLSWhatEverVersion > HTTPSApache2Proxy > WebservicesServerInTLSv1

So the idea is to use Apache2 to translate from TLSv1 to whatever you need and backwards.

The solution is to use "Apache2" as a reverse proxy to translate from TLSv1 to what ever I ask him through https, and it works great. It took me about 1 hour to configur "Apache2" trying different configurations, and activating the different modules needed to do the task.

First you hae to install "Apache2":

  • sudo apt install apache2

Second you have to test it:

  • http://<WhatEverIp> in your web browser.

Third, enable SSL module in "Apache2":

  • a2enmod ssl

Fourth, enable Proxy module on "Apache2":

  • a2enmod proxy

And at last you hace to add the virtual host to your sites-enabled config file (/etc/apache2/sites-enabled/000-default.conf):

  • Add at the end of the file:

<VirtualHost *:port>

        ProxyPass / https://<TLSv1 IP of origin>:<port>/
    ProxyPassReverse / https://&lt;TLSv1 IP of origin&gt;:&lt;port&gt;/

    SSLEngine on

    SSLProxyEngine on

    SSLProxyEngine on

    SSLProxyVerify none

    SSLProxyCheckPeerCN off

    SSLProxyCheckPeerName off

    SSLProxyCheckPeerExpire off

    SSLCipherSuite AES256+EECDH:AES256+EDH

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    SSLCertificateFile /etc/apache2/certs/&lt;selfSignedCertName&gt;.crt

    SSLCertificateKeyFile /etc/apache2/certs/&lt;selfSignedCertName&gt;.key

</VirtualHost>

Aditional: to generate self signed certificates:

 mkdir /etc/apache2/certs

cd /etc/apache2/certs

openssl genrsa -out mysite.com.key 1024

openssl req -new -key mysite.com.key -out mysite.com.csr

openssl x509 -req -days 100000 -in mysite.com.csr -signkey mysite.com.key -out mysite.com.crt

If you have any questions, please ask them, because my distorted brain some times works in mysterious ways.

Kind regards from Chile.

Links for recreating the solution:

Blastter
  • 16
  • 2