-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHEL6: IcingaWeb2 (v2.7.1) via API to Icinga2 (v2.11) => SSL Error / no shared cipher #7501
Comments
Hi, can you run sslscan against the API and extract which cipher suite is required to properly connect on el6? For el7 clients, Cheers, |
Hi, This is the result of the scan:
Hmm, so if I get this right. Sslscan is telling me we are having a working cipher (AES256-GCM-SHA384), but still, it isn't working. |
phpinfo() tells me the following for the curl module:
So I guess we searching the wrong library. Looks like curl is using NSS and not Openssl. |
In terms of support, the master server components should be running on the latest el7 distribution, to avoid possible shortcomings with years old software like this problem. https://icinga.com/subscription/support-details/ In terms of the problem itself - the API itself works fine, and we're back with curl/NSS bugs. Tests in Docker
sslscan
openssl
curl
https://stackoverflow.com/questions/21887315/curl-ssl-connect-error-35-with-nss-error-5961/22135607
https://bugzilla.redhat.com/show_bug.cgi?id=1185708
PHP and cURL on RHEL 6
https://bugzilla.redhat.com/show_bug.cgi?id=1289205 ConclusionTo me, it seems that curl, NSS and PHP on RHEL6 don't support TLSv1.2 natively. This brings me back to an old thread I've found while raising the TLS limits. https://bugzilla.redhat.com/show_bug.cgi?id=1153814
=> https://bugzilla.redhat.com/show_bug.cgi?id=994599 and this lovely thing. https://serverfault.com/questions/703436/ssl-handshake-with-centos-curl-and-ecdhe I have tried some other cipher suites, but none of them worked. |
Oh! Thanks for this Support-Matrix. Didn't know that :-)
Don't think it's a TLSv1.2 issue. I tried with "AES256-SHA256" (just a lucky shot) and it was working. Best would be to find a way making a sslscan with nss. I have to search around a bit. |
So those are the ones I was able to identify working with curl and TLSv1.2. Icinga2=EL6 & Curl=EL6
Icinga2=EL7 & Curl=EL6
|
What happens if you configure the api.conf file to use
? |
https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
works for me. Question is if that also solves the problem with PHP curl and your web interface. |
Both ways are working just fine as long as |
Okidoki, that's what I've thought. Thanks for keeping up here, I'll modify this for 2.11 once more. |
Describe the bug
Since updating Icinga2 to v2.11.0.rc1.143.g358d951-0.20190913.1724, IcingaWeb2 isn't able to connet to it using the API.
-- icinga2.log --
[2019-09-16 08:19:29 +0200] critical/ApiListener: Client TLS handshake failed (from [1.2.3.4]:50470): no shared cipher
-- curl --
To Reproduce
Just configure Monitoring Module to use API or use curl, e.g. like this:
curl -v -k -u user:pass 'https://1.2.3.4:5665/v1/status/IcingaApplication?pretty=1'
Expected behavior
Connect to API without issues
Your Environment
Additional context
The text was updated successfully, but these errors were encountered: