[Pkg-nagios-devel] Bug#950167: Bug#950167: icinga2-bin - Racy timeout in API: No data received on new API connection

Jerome Charaoui jerome at riseup.net
Sat Mar 27 19:50:34 GMT 2021

Le 2021-03-27 à 15 h 34, Sebastiaan Couwenberg a écrit :
>> Would it be possible to publish a backport to buster to fix this?
> With the release of bullseye on the horizon, that's probably not worth
> the effort.

Yeah, I understand. At the same time this problem arises in the default 
configuration since buster defaults to TLSv1.3, and probably affects 
several users of the package.

But if it's a lot of work to push a backport then yeah I guess it might 
not be worth it.

In any case, I think I found an improvement to the workaround suggested 

1) Copy /etc/ssl/openssl.cnf to /etc/icinga2/openssl.cnf
2) Add "MaxProtocol = TLSv1.2" under "[system_default_sect]"
3) Add "OPENSSL_CONF=/etc/icinga2/openssl.cnf" to /etc/defaults/icinga2
4) Restart the Icinga2 service

What this does is configure the OpenSSL library use only TLSv1.2, but 
only for Icinga2 and not all system services.

As soon as I implemented this on the master, all problematic clients 
reconnected immediately.

If this holds up then I'm satisfied to wait for the release of bullseye 
to upgrade to 2.12, otherwise I'll report back here.

Thanks for your work on this package, much appreciated!

-- Jerome

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-devel/attachments/20210327/62710a7a/attachment.sig>

More information about the Pkg-nagios-devel mailing list