Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows agent 2.10.4 -> 2.11.0 RC1 master: no shared cipher #7386

Closed
dnsmichi opened this issue Aug 1, 2019 · 2 comments

Comments

@dnsmichi
Copy link
Member

commented Aug 1, 2019

Describe the bug

Windows 2.10.4 Agent connects against 2.11.0 RC1 master resulting in no shared cipher error messages.

Mitigation

  • openssl s_server -connect :5665 from the master (if reachable)
  • sslscan on Linux or as exe on Windows to analyse the preferred cipher suite

windows_icinga_2 10 4_ciphers_sslscan

Workaround

The master prefers the cipher suite and needs to offer AES256-GCM-SHA384.

Edit features-enabled/api.conf and add the cipher_list attribute with the following content from #7368.

object ApiListener "api" {

  cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384"

  ticket_salt = TicketSalt
}

Fixes

Already fixed with #7369 - this adds to the list for patching 2.10.6 as well (and blocks the ECC draft in #7323). @lippserd @bobapple

References

ref/NC/627739

@dnsmichi dnsmichi added this to the 2.11.0 milestone Aug 1, 2019

@dnsmichi dnsmichi self-assigned this Aug 1, 2019

@dnsmichi

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2019

This is for tracking only, workarounds and fixes already exist.

@dnsmichi dnsmichi closed this Aug 1, 2019

@dnsmichi dnsmichi referenced this issue Aug 1, 2019
26 of 33 tasks complete
@dnsmichi

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2019

Versions til 2.10.5 use OpenSSL 1.0.2n, that explains the missing ECDH cipher suites.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.