Hi
I have also got a scan report with the outdated TLS versions on port 8000. However, I have then researched a little bit and I have found out that this port is used by the gunicorn daemon:
[root@localhost ~]# lsof -i:8000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python3 3588937 mon 7u IPv4 12530911 0t0 TCP *:irdmi (LISTEN)
python3 3588941 mon 7u IPv4 12530911 0t0 TCP *:irdmi (LISTEN)
[root@localhost ~]# ps -ef |grep 3588937
mon 3588937 1 0 11:10 ? 00:00:00 python3 /omd/sites/mon/bin/gunicorn -D -p /omd/sites/mon/tmp/run/agent-receiver.pid --error-logfile /omd/sites/mon/var/log/agent-receiver/error.log --access-logfile /omd/sites/mon/var/log/agent-receiver/access.log --keyfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --certfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --ssl-version TLSv1_2 --ca-certs /omd/sites/mon/etc/ssl/ca.pem --cert-reqs 1 -b 0.0.0.0:8000 -k agent_receiver.worker.ClientCertWorker agent_receiver.apps:main_app()
mon 3588941 3588937 0 11:10 ? 00:00:12 python3 /omd/sites/mon/bin/gunicorn -D -p /omd/sites/mon/tmp/run/agent-receiver.pid --error-logfile /omd/sites/mon/var/log/agent-receiver/error.log --access-logfile /omd/sites/mon/var/log/agent-receiver/access.log --keyfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --certfile /omd/sites/mon/etc/ssl/agent_receiver_cert.pem --ssl-version TLSv1_2 --ca-certs /omd/sites/mon/etc/ssl/ca.pem --cert-reqs 1 -b 0.0.0.0:8000 -k agent_receiver.worker.ClientCertWorker agent_receiver.apps:main_app()
root 3610425 3571345 0 12:26 pts/0 00:00:00 grep --color=auto 3588937
Then I have found the init proces of the agent-receiver:
/opt/omd/sites/mon/etc/init.d/agent-receiver
I added the option "–ssl-version TLSv1_2 ":
case "$1" in
start)
echo -en "Starting agent-receiver..."
if kill -0 $PID >/dev/null 2>&1; then
echo 'Already running.'
exit 0
fi
gunicorn -D -p $PIDFILE \
--error-logfile $OMD_ROOT/var/log/agent-receiver/error.log \
--access-logfile $OMD_ROOT/var/log/agent-receiver/access.log \
--keyfile "$KEY_AND_CERT_FILE" \
--certfile "$KEY_AND_CERT_FILE" \
--ssl-version TLSv1_2 \
--ca-certs "${OMD_ROOT}/etc/ssl/ca.pem" \
--cert-reqs 1 \
-b 0.0.0.0:$CONFIG_AGENT_RECEIVER_PORT \
-k agent_receiver.worker.ClientCertWorker 'agent_receiver.apps:main_app()'
After that I restarted omd and the older TLS versions are not available anymore on the 8000 port.
However, this solution is not OK, since I have changed the checkmk source code. Does anybody know a better solution?