Feature Request - Add AES Support in NSCA

[ludmilmm]

When you use NSCA with NSClient++ only the AES-128 works properly. See the example below:

In the nsclient.ini on the Windows server:

`; ENCRYPTION - Name of encryption algorithm to use. Has to be the same as your server i using or it wont work at all.This is also independent of SSL and generally used instead of SSL. Available encryption algorithms are: none = No Encryption (not safe) xor = XOR des = DES 3des = DES-EDE3 cast128 = CAST-128 xtea = XTEA blowfish = Blowfish twofish = Twofish rc2 = RC2 aes128 = AES aes192 = AES aes = AES serpent = Serpent gost = GOST

encryption = AES`

In the nsca.cfg on the Nagios XI box:

#0 = None (Do NOT use this option)
#1 = Simple XOR (No security, just obfuscation, but very fast)
#
#2 = DES
#3 = 3DES (Triple DES)
#4 = CAST-128
#5 = CAST-256
#6 = xTEA
#7 = 3WAY
#8 = BLOWFISH
#9 = TWOFISH
#10 = LOKI97
#11 = RC2
#12 = ARCFOUR
#
#14 = RIJNDAEL-128
#15 = RIJNDAEL-192
#16 = RIJNDAEL-256
#
#19 = WAKE
#20 = SERPENT
#
#22 = ENIGMA (Unix crypt)
#23 = GOST
#24 = SAFER64
#25 = SAFER128
#26 = SAFER+
#

decryption_method=14

The above scenario works. If however, you use option 15 or 16 (RIJNDAEL-192 or RIJNDAEL-256), the passive check results are not being received, and you can see errors in the "/var/log/messages" similar to this one:
Apr 28 10:10:09 localhost nsca[10945]: Received invalid packet type/version from client - possibly due to client using wrong password or crypto algorithm?

According to a Nagios XI user on the Nagios Support forum, the issue is in fact this:

AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.

AES-192 and AES-256 support needs to be added to NSCA so that it can be used with NSClient++.

[jfrickson]

Shouldn't be difficult. Will be getting to this soon.

[willemdh]

Looking forward to seeing this fixed. :+1

Stronger encryption like aes is really a minimal required encryption these days. It's also confusing, as the NSClient++ 's documentation suggest using aes, while this in fact doesn't work with Nagios's current NSCA implementation.

https://docs.nsclient.org/reference/client/NSCAClient/

[hedenface]

It shouldn't be difficult, but needs to be discussed in our internal open source dev meeting regardless. We'll bring it up at the next one!

[rwmacleod]

Would this work get rid of the mcrypt dependency? mcrypt seems to be dead and getting it to even build with autoconf-2.71 for Yocto (1,2) seems like a waste of time since mcrypt hasn't been updated in more than a decade (3).

1. http://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/tree/recipes-extended/nagios/nagios-nsca_2.9.2.bb?h=master#n25
2. http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-crypto/libmcrypt/libmcrypt_2.5.8.bb?h=master
3. https://en.wikipedia.org/wiki/Mcrypt