Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.11.1 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

Windows agents no longer communicate with server

In order to address vulnerabilities found by Nessus, I had to update the /etc/httpd/conf.d/ssl.conf file.  The changes I made are as follows

From : SSLProtocol all -SSLv2

To : SSLProtocol all -SSLv2 -SSLv3 -TLSv1 +TLSv1.2

From: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

To: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4

Now none of my Windows agents are able to communicate with the server.

The log on the agent indicates the following:

ERROR *** AGENT => Failed to send Prolog <SSL connect error>

Is there something in the ocsinventory configuration that I have to change in order to correct this, or do I have to revert the ssl.conf changes and accept the vulnerability risk?
in OCS Inventory NG server for Unix by (180 points)

2 Answers

0 votes
Hi,

Agents communicate with the server on https. Which kind of certificates have you build? Self-signed or certified? I may suggest you to regenerate a certificate.

Regards
by (88.5k points)
0 votes

That it an interesting thought, but certificates are not dependent on protocols.  Not to mention that the self-signed certificates are present on both Linux and Windows devices.  The Linux machines do not have a problem communicating with OCS only the Windows machines do, so we can probably eliminate that.

Further testing has narrowed down the issue a little.  When I edit the SSLProtocol line on the server and make it SSLProtocol all -SSLv2 -SSLv3, the windows device communicate again.  That leads me to believe that the windows agents are using TLSv1 to communicate with the server.  Is there a setting that can be updated to make it use TLSv1.2?  Really don't want to keep TLSv1 active considering the vulnerabilities associated with doing so.

Also before anyone mentions this thread https://github.com/OCSInventory-NG/OCSInventory-Server/issues/30 I would like to accomplish this without updating the agents if possible.

by (180 points)
edited by
 
Powered by Question2Answer
...