Nagvis livestatus backend TLS version mismatch

Hi,
if I select a remote backend_id in create object menu, I get the following error message:
Failed to get objects: Unable to connect to the in backend : stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version stream_socket_client(): Failed to enable crypto stream_socket_client(): unable to connect to tls://slavehost:6559 (Unknown error)

I made a wireshark trace and I found out, netvis tries a connection with TLS1 instead of TLS1.2 which is configured default in checkmk livestatus.

Installed versions:
check_mk raw 1.6.0p19
Red Hat Enterprise Linux Server 7.8 (Maipo)
php.x86_64 5.4.16-48.el7 (standard on RHEL7)

Any help is appreciated

Kind regards,
Norbert

Hi,

We have also experienced this issue when we recently deployed some Nagvis Maps on our CMK servers.
After searching for a solution on the Web for some time, the work-around was for us to re-enable
TLS 1 support in the CheckMK stunnel server.conf on the slave nodes.

eg: vim $OMD_ROOT/etc/stunnel/server.conf

We commented out the original sslVersion line
#sslVersion = TLSv1.2

And added the following to permit only TLS v1 and TLS v1.2 (or later).

options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1.1
sslVersion = all

The we ran ‘omd restart’ on the slave instances to restart stunnel with the new settings.

Admittedly, this is not ideal, but until a fix is provided we seem to have no other choice.

For the record, we have seen this behaviour regarding Nagvis on separate Distributed CMK environments, running the following releases.

Checkmk-raw 2.0.0b4 (testing) and Checkmk-raw 1.6.0p19
OS: CentOS 7
PHP Ver: 5.4.16
OpenSSL Ver: OpenSSL 1.0.2k-fips

The problem is solved. Many thanks for the workaround!

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.