Disable TLS 1.0/1.0 for Port 8000 Agent Receiver

General
2

Hi

I have also got a scan report with the outdated TLS versions on port 8000. However, I have then researched a little bit and I have found out that this port is used by the gunicorn daemon:

[root@localhost ~]# lsof -i:8000
COMMAND     PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
python3 3588937 mon    7u  IPv4 12530911      0t0  TCP *:irdmi (LISTEN)
python3 3588941 mon    7u  IPv4 12530911      0t0  TCP *:irdmi (LISTEN)
[root@localhost ~]# ps -ef |grep 3588937
mon   3588937       1  0 11:10 ?        00:00:00 python3 /omd/sites/mon/bin/gunicorn -D -p /omd/sites/mon/tmp/run/agent-receiver.pid --error-logfile /omd/sites/mon/var/log/agent-receiver/error.log --access-logfile /omd/sites/mon/var/log/agent-receiver/access.log --keyfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --certfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --ssl-version TLSv1_2 --ca-certs /omd/sites/mon/etc/ssl/ca.pem --cert-reqs 1 -b 0.0.0.0:8000 -k agent_receiver.worker.ClientCertWorker agent_receiver.apps:main_app()
mon   3588941 3588937  0 11:10 ?        00:00:12 python3 /omd/sites/mon/bin/gunicorn -D -p /omd/sites/mon/tmp/run/agent-receiver.pid --error-logfile /omd/sites/mon/var/log/agent-receiver/error.log --access-logfile /omd/sites/mon/var/log/agent-receiver/access.log --keyfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --certfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --ssl-version TLSv1_2 --ca-certs /omd/sites/mon/etc/ssl/ca.pem --cert-reqs 1 -b 0.0.0.0:8000 -k agent_receiver.worker.ClientCertWorker agent_receiver.apps:main_app()
root     3610425 3571345  0 12:26 pts/0    00:00:00 grep --color=auto 3588937

Then I have found the init proces of the agent-receiver:
/opt/omd/sites/mon/etc/init.d/agent-receiver

I added the option "–ssl-version TLSv1_2 ":

case "$1" in

    start)
        echo -en "Starting agent-receiver..."
        if kill -0 $PID >/dev/null 2>&1; then
            echo 'Already running.'
            exit 0
        fi

        gunicorn -D -p $PIDFILE  \
                --error-logfile $OMD_ROOT/var/log/agent-receiver/error.log \
                --access-logfile $OMD_ROOT/var/log/agent-receiver/access.log \
                --keyfile "$KEY_AND_CERT_FILE" \
                --certfile "$KEY_AND_CERT_FILE" \
                --ssl-version TLSv1_2 \
                --ca-certs "${OMD_ROOT}/etc/ssl/ca.pem" \
                --cert-reqs 1 \
                -b 0.0.0.0:$CONFIG_AGENT_RECEIVER_PORT \
                -k agent_receiver.worker.ClientCertWorker 'agent_receiver.apps:main_app()'

After that I restarted omd and the older TLS versions are not available anymore on the 8000 port.

However, this solution is not OK, since I have changed the checkmk source code. Does anybody know a better solution?

1 Like