Windows agents no longer communicate with server

Question

In order to address vulnerabilities found by Nessus, I had to update the /etc/httpd/conf.d/ssl.conf file.  The changes I made are as follows

From : SSLProtocol all -SSLv2

To : SSLProtocol all -SSLv2 -SSLv3 -TLSv1 +TLSv1.2

From: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

To: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4

Now none of my Windows agents are able to communicate with the server.

The log on the agent indicates the following:

ERROR *** AGENT => Failed to send Prolog <SSL connect error>

Is there something in the ocsinventory configuration that I have to change in order to correct this, or do I have to revert the ssl.conf changes and accept the vulnerability risk?

Answer 1

Hi,

Agents communicate with the server on https. Which kind of certificates have you build? Self-signed or certified? I may suggest you to regenerate a certificate.

Regards

Answer 2

That it an interesting thought, but certificates are not dependent on protocols.  Not to mention that the self-signed certificates are present on both Linux and Windows devices.  The Linux machines do not have a problem communicating with OCS only the Windows machines do, so we can probably eliminate that.

Further testing has narrowed down the issue a little.  When I edit the SSLProtocol line on the server and make it SSLProtocol all -SSLv2 -SSLv3, the windows device communicate again.  That leads me to believe that the windows agents are using TLSv1 to communicate with the server.  Is there a setting that can be updated to make it use TLSv1.2?  Really don't want to keep TLSv1 active considering the vulnerabilities associated with doing so.

Also before anyone mentions this thread https://github.com/OCSInventory-NG/OCSInventory-Server/issues/30 I would like to accomplish this without updating the agents if possible.