OCSReports 2.9.2 and XP Agent 2.1.1.1 - SSL Error

Question

Hello, 

TLDR;

OCS Reports version = latest (2.9.2)
Windows Agent for XP version = (2.1.1.1) gives error when SSL and cacert.pem enabled, but working without https/ssl
Latest Windows Agent with newer S.O = (2.9.1.0) working!



More details:

im trying to connect SSL with some XP clients, using Windows agent version 2.1.1.1, since its the last with XP support but having error:

COM SERVER => Sending HTTP Post request to URL <https://my_server_address_that_i_have_edited_for_privacy_reasons/ocsinventory>
WARNING *** COM SERVER => Failed to send HTTP Post request <SSL connect error>
COM SERVER => Cleaning cURL library
ERROR *** AGENT => Failed to send Prolog <SSL connect error>

• Auto generated and signed certificates with cacert.pem inside right folder
• Other operational systems using latest windows agent (2.9.1.0) are working normal with ssl enabled

Here is a full log from agent 2.1.1.1 running with error on a windows xp fresh VM: https://logpaste.com/UX40b9Vl

and here a full log from agent (2.9.1.0) working on a win7x32 fresh VM:
https://logpaste.com/HUtMLtVM
 

any help?

Answer 1

When server and agent use https, they need to use the same level of TLS.

Recent Linux distributions disable TLS 1(.0) and 1.1 for Apache, but what for agent ?

Answer 2

ok

so, for now i mannualy enabled SSLv1 at apache v2.4.41 and Windows Xp agents (v2.1.1.1) are back to work with SSL enabled

add this line to /etc/apache2/sites-avaiable/default-ssl.conf

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          CDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=1

reffer: https://serverfault.com/questions/824821/how-to-enable-tls-1-1-and-tls-1-0-on-apache

Answer 3

Is it safe to have such option?

if i will have SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3 as recommended by security reason, it can work somehow? or i need to have security hole to be able to connect Windows 2003?

Answer 4

For security reasons, you want only TLS 1.2. Ok

Why you want continue to use, at the same time, some hosts with Windows 2003 ?

The problem is very simple : old systems use old agents which use old TLS levels. (And newest agents don't run on old OS.)

(I don't know which version of agents start to use TLS 1.2, but it's upper than 2.1.1.1, the last version for XP and maybe 2003. Easily you cant find the link https://github.com/OCSInventory-NG/OCSInventory-Server/issues/30, so agents after A=2016-M=09-D=05 use TLS 1.2 ...)

Answer 5

@jacquesh Sometimes you cant get rid of win2003 for any reasons, but you accept the risk only for some systems. If you enable lower TLS then 1.2 in OCS can affect all your environment. I would like to know if there is any possibility to avoid it. One of it is also enabling HTTP beside HTTPS, but maybe somebody also tried SNMP? or other solution?

Answer 6

Due your need (keep W2003 hosts), you need to keep agents with old levels of TLS.

But you can configure Apache with more than one url using 'VirtualHost', and if Apache is 2.4.42 or upper with SSLProtocols differents = different level of TLS.

So you can have an url for old agents with TLS1, and another url for new agents with TLS 1.2. (Agent settings means differents 'Server' settings !)

For downloading OCS packages, agents will use https for 'info' file and http for 'fragments' files. (Also when you create a package, you have only the choice of HTTP !). So I'm not sure, it's possible to have only HTTPS.

Therefore when you use https, you need certificate, and you have to consider how renew the certificate and also deploy new certificate : IMHO I prefer SSL=0 ...

Answer 7

Thanks for those information. Will check that option