Hello,
I recently upgraded my master node to Debian 10, and now I have a
system-wide config setting the minimum TLS version to 1.2
$ tail -3 /etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
$
It is enfonced in icinga, and with this setting my (very) old nodes
connect connect, as they only have openssl 0.9.8, which cannot handle
TLS 1.2
Setting MinProtocol = TLSv1 in /etc/ssl/openssl.cnf allows them to
connect, but it affects the whole system.
In the Object 'api' of type 'ApiListener', there is a value called
tls_protocolmin:
* tls_protocolmin = "TLSv1"
But it seems it's only enfonced if it's more restrictive than the
system setting:
- if I set system to TLSv1 and tls_protocolmin to TLSv1.2, I
cannot connect
- if I set system to TLSv1.2 and tls_protocolmin to TLSv1, I
cannot connect neither
- if both are set to TLSv1, I can connect
Is there a way to make it override the system setting ? Or any other
configuration option to force icinga to allow more protocols than
system_default_sect defines ?
I'm using icinga 2.10.5-1.buster
Thanks,
--
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.
[email protected]
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.icinga.org/mailman/listinfo/icinga-users
