Finally NRPE is adding True SSL security connection

After so many years of people pointing out that the so called security of the NRPE agent is not really a valid security, it seem that the developers working on the NRPE project have finally taken those concerns to heart and incorporated  a proper SSL security configuration method to the agent :

# These directives allow you to specify how to use SSL/TLS.

# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
# TLSv1.2+ (use TLSv1.2 or above)
# If an “or above” version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.


# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.


# This lists which ciphers can be used. For backward compatibility, this
# defaults to ‘ssl_cipher_list=ALL:!MD5:@STRENGTH’ in this version but
# will be changed to something like the example below in a later version of NRPE.


# SSL Certificate and Private Key Files


# This options determines client certificate usage.
# Values: 0 = Don’t ask for or require client certificates (default)
# 1 = Ask for client certificates
# 2 = Require client certificates


# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.

# Values: 0x00 (0) = No additional logging (default)
# 0x01 (1) = Log startup SSL/TLS parameters
# 0x02 (2) = Log remote IP address
# 0x04 (4) = Log SSL/TLS version of connections
# 0x08 (8) = Log which cipher is being used for the connection
# 0x10 (16) = Log if client has a certificate
# 0x20 (32) = Log details of client’s certificate if it has one
# -1 or 0xff or 0x2f = All of the above



This is a massive step up from the way it was before, now we need to see if the nrpe plugin (a.k.a check_nrpe ) or the Nagios Core has also been updated to include the directives for the communication to the improved NRPE.