Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows agent 2.10.4 -> 2.11.0 RC1 master: no shared cipher #7386

Closed
dnsmichi opened this issue Aug 1, 2019 · 2 comments
Closed

Windows agent 2.10.4 -> 2.11.0 RC1 master: no shared cipher #7386

dnsmichi opened this issue Aug 1, 2019 · 2 comments
Assignees
@dnsmichi
Labels
area/distributed Distributed monitoring (master, satellites, clients) bug Something isn't working ref/NC
Milestone
2.11.0

Comments

@dnsmichi
Copy link
Contributor

dnsmichi commented Aug 1, 2019
edited
Loading

Describe the bug

Windows 2.10.4 Agent connects against 2.11.0 RC1 master resulting in no shared cipher error messages.

Mitigation

  • openssl s_server -connect :5665 from the master (if reachable)
  • sslscan on Linux or as exe on Windows to analyse the preferred cipher suite

windows_icinga_2 10 4_ciphers_sslscan

Workaround

The master prefers the cipher suite and needs to offer AES256-GCM-SHA384.

Edit features-enabled/api.conf and add the cipher_list attribute with the following content from #7368.

object ApiListener "api" {

  cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384"

  ticket_salt = TicketSalt
}

Fixes

Already fixed with #7369 - this adds to the list for patching 2.10.6 as well (and blocks the ECC draft in #7323). @lippserd @bobapple

References

ref/NC/627739
@dnsmichi dnsmichi added bug Something isn't working area/distributed Distributed monitoring (master, satellites, clients) ref/NC labels Aug 1, 2019
@dnsmichi dnsmichi added this to the 2.11.0 milestone Aug 1, 2019
@dnsmichi dnsmichi self-assigned this Aug 1, 2019
@dnsmichi
Copy link
Contributor Author

dnsmichi commented Aug 1, 2019

This is for tracking only, workarounds and fixes already exist.

@dnsmichi dnsmichi closed this as completed Aug 1, 2019
@dnsmichi dnsmichi mentioned this issue Aug 1, 2019
Closed
54 tasks
@dnsmichi
Copy link
Contributor Author

dnsmichi commented Aug 1, 2019

Versions til 2.10.5 use OpenSSL 1.0.2n, that explains the missing ECDH cipher suites.

@dnsmichi dnsmichi mentioned this issue Aug 1, 2019
Open
6 tasks
dnsmichi pushed a commit that referenced this issue Aug 2, 2019
Docs: Enhance Troubleshooting with TLS handshake, CSR signing, checks…
6afd222 
…, notifications, cluster sync

refs #7380
refs #7382
refs #7386
refs #7391
@dnsmichi dnsmichi mentioned this issue Aug 2, 2019
Merged
@dnsmichi dnsmichi mentioned this issue Aug 27, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dnsmichi dnsmichi

Labels
area/distributed Distributed monitoring (master, satellites, clients) bug Something isn't working ref/NC
Projects
None yet
Milestone
2.11.0
Development

No branches or pull requests
1 participant
@dnsmichi