[Pkg-nagios-devel] Bug#950167: Bug#950167: icinga2-bin - Racy timeout in API: No data received on new API connection
Jerome Charaoui
jerome at riseup.net
Sat Mar 27 19:50:34 GMT 2021
Le 2021-03-27 à 15 h 34, Sebastiaan Couwenberg a écrit :
>> Would it be possible to publish a backport to buster to fix this?
>
> With the release of bullseye on the horizon, that's probably not worth
> the effort.
Yeah, I understand. At the same time this problem arises in the default
configuration since buster defaults to TLSv1.3, and probably affects
several users of the package.
But if it's a lot of work to push a backport then yeah I guess it might
not be worth it.
In any case, I think I found an improvement to the workaround suggested
earlier.
1) Copy /etc/ssl/openssl.cnf to /etc/icinga2/openssl.cnf
2) Add "MaxProtocol = TLSv1.2" under "[system_default_sect]"
3) Add "OPENSSL_CONF=/etc/icinga2/openssl.cnf" to /etc/defaults/icinga2
4) Restart the Icinga2 service
What this does is configure the OpenSSL library use only TLSv1.2, but
only for Icinga2 and not all system services.
As soon as I implemented this on the master, all problematic clients
reconnected immediately.
If this holds up then I'm satisfied to wait for the release of bullseye
to upgrade to 2.12, otherwise I'll report back here.
Thanks for your work on this package, much appreciated!
-- Jerome
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-devel/attachments/20210327/62710a7a/attachment.sig>
More information about the Pkg-nagios-devel
mailing list