Disable specific weak cipher for port 5665

xion824 · September 11, 2023, 12:43pm

Hey, everyone. Recent Nessus scanning against our Icinga2 host are showing a weak cipher on 5665. Thus far, we have been unable to get the system to disable this cipher. Was hoping the hive mind could help out here.

OS: RHEL 8.8
Icinga ver. 2.9.5
PHP ver. 7.2.24
Weak cipher: ECDHE-RSA-AES128-SHA256

We currently have /etc/icinga2/features-enabled/api.conf configured with the following:

cipher_list = “TLS13_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384”

Any help with disabling the weak cipher listed above would be greatly appreciated. TIA

moreamazingnick · September 11, 2023, 5:07pm

the result on the nessus scan would be helpful.
you need to add this to the agents as well.
don’t forget to restart icinga2.
you icinga version is super old

Al2Klimov · September 11, 2023, 5:07pm

Hello @xion824!

At best upgrade straight to 2.14, we’ve hardened the defaults recently.

Best,
A/K

xion824 · September 12, 2023, 12:10pm

I was able to disable the cipher by adding it to the cipher_list line with “-” in front of it. For some reason this didn’t register previously, but this time it did.

xion824 · September 12, 2023, 12:12pm

Unable to do so due to developer specific requirements.