Project

General

Profile

Actions

Bug #16716

closed

5.0.15 and lower agents can not update when managed by a 6.0+ server or relay

Added by Félix DALLIDET almost 5 years ago. Updated over 4 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Reviewed
Fix check:
To do
Regression:

Description

When trying to update a node I got the following error:

root@bob:~# rudder agent update
   error: Failed to establish TLS connection: (-1 SSL_ERROR_SSL) tlsv1 alert protocol version 
   error: No suitable server found
R: *********************************************************************************
* rudder-agent could not get an updated configuration from the policy server.   *
* This can be caused by:                                                        *
*   * an agent key that has been changed                                        *
*   * if this node is not accepted or deleted node on the Rudder root server    *
*   * if this node has changed policy server without sending a new inventory    *
* Any existing configuration policy will continue to be applied without change. *
*********************************************************************************
error: Rudder agent promises could not be updated.

This comes from a bad TLS version settings in the cf-agent. It seems to be well configured on the agent but when
capturing a TLS handshake there is a mismatch between the TLS version used.
For some reasons the TLS version is set to 1.0 when the config force 1.2.

It may be related to https://github.com/cfengine/core/pull/3684/files.
Upgrading to 5.0.16+ which brings a more recent version of cfengine fix the problem and force correctly the TLS version to 1.2+.

Actions #1

Updated by Alexis Mousset almost 5 years ago

  • Target version changed from 5.0.16 to 5.0.17
Actions #2

Updated by Alexis Mousset almost 5 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #3

Updated by Alexis Mousset almost 5 years ago

  • Status changed from In progress to New
  • Assignee deleted (Alexis Mousset)
  • Target version changed from 5.0.17 to 6.0.4
Actions #4

Updated by Alexis Mousset almost 5 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #5

Updated by Alexis Mousset almost 5 years ago

  • Assignee changed from Alexis Mousset to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1584
Actions #6

Updated by Alexis Mousset almost 5 years ago

  • Status changed from In progress to Pending release
Actions #7

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.4 to 6.0.3
Actions #8

Updated by Alexis Mousset over 4 years ago

  • Name check changed from To do to Reviewed
Actions #9

Updated by Vincent MEMBRÉ over 4 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.0.3 which was released today.

Actions

Also available in: Atom PDF