Project

General

Profile

Actions

Bug #16716

closed

5.0.15 and lower agents can not update when managed by a 6.0+ server or relay

Added by Félix DALLIDET almost 5 years ago. Updated over 4 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Reviewed
Fix check:
To do
Regression:

Description

When trying to update a node I got the following error:

root@bob:~# rudder agent update
   error: Failed to establish TLS connection: (-1 SSL_ERROR_SSL) tlsv1 alert protocol version 
   error: No suitable server found
R: *********************************************************************************
* rudder-agent could not get an updated configuration from the policy server.   *
* This can be caused by:                                                        *
*   * an agent key that has been changed                                        *
*   * if this node is not accepted or deleted node on the Rudder root server    *
*   * if this node has changed policy server without sending a new inventory    *
* Any existing configuration policy will continue to be applied without change. *
*********************************************************************************
error: Rudder agent promises could not be updated.

This comes from a bad TLS version settings in the cf-agent. It seems to be well configured on the agent but when
capturing a TLS handshake there is a mismatch between the TLS version used.
For some reasons the TLS version is set to 1.0 when the config force 1.2.

It may be related to https://github.com/cfengine/core/pull/3684/files.
Upgrading to 5.0.16+ which brings a more recent version of cfengine fix the problem and force correctly the TLS version to 1.2+.

Actions

Also available in: Atom PDF