Le 2021-03-27 à 15 h 34, Sebastiaan Couwenberg a écrit :
Would it be possible to publish a backport to buster to fix this?With the release of bullseye on the horizon, that's probably not worth the effort.
Yeah, I understand. At the same time this problem arises in the default configuration since buster defaults to TLSv1.3, and probably affects several users of the package.
But if it's a lot of work to push a backport then yeah I guess it might not be worth it.
In any case, I think I found an improvement to the workaround suggested earlier.
1) Copy /etc/ssl/openssl.cnf to /etc/icinga2/openssl.cnf 2) Add "MaxProtocol = TLSv1.2" under "[system_default_sect]" 3) Add "OPENSSL_CONF=/etc/icinga2/openssl.cnf" to /etc/defaults/icinga2 4) Restart the Icinga2 serviceWhat this does is configure the OpenSSL library use only TLSv1.2, but only for Icinga2 and not all system services.
As soon as I implemented this on the master, all problematic clients reconnected immediately.
If this holds up then I'm satisfied to wait for the release of bullseye to upgrade to 2.12, otherwise I'll report back here.
Thanks for your work on this package, much appreciated! -- Jerome
OpenPGP_signature
Description: OpenPGP digital signature
