In Opsview version 6.6.6 and above, you can enable TLS 1.2 and disable older TLS versions by editing the agent configuration file on the host running the agent.
Prerequisites
- None
Process
- Log in to the host running the agent.
- Open the
/opt/opsview/agent/etc/nrpe.cfgfile in your preferred text editor. - Change the
protocols=...line to:
protocols=TLSv1_2:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1This enables TLS 1.2 and disables SSL 2, SSL 3, TLS 1 and TLS 1.1. 4. Restart the opsview-agent service:
systemctl restart opsview-agentWindows agent
Only TLS 1.2 is enabled by default in the latest versions of the Windows agent.
---
Infrastructure agent
You can do the same on the infrastructure-agent by adding the argument NO_TLSv1_2 line in agent.yml this will currently block TLS 1.2 and leaving TLS 1.3 only, therefore only allowing TLS 1.3, the same can be done with older protocols.
vim /opt/itrs/infrastructure-agent/cfg/custom/agent.yml
nmap --script ssl-enum-ciphers -p 5666 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2025-10-20 12:52 UTC
Nmap scan report for ops.opsview (127.0.0.1)
Host is up (0.000079s latency).
PORT STATE SERVICE
5666/tcp open nrpe
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Make sure you restart the infrastructure agent service after you make changed to it config yaml file
Comments
0 comments
Please sign in to leave a comment.