Bug#950167: [Pkg-nagios-devel] Bug#950167: icinga2-bin - Racy timeout in API: No data received on new API connection
Le 2021-03-27 à 15 h 34, Sebastiaan Couwenberg a écrit : Would it be possible to publish a backport to buster to fix this? With the release of bullseye on the horizon, that's probably not worth the effort. Yeah, I understand. At the same time this problem arises in the default configuration since buster defaults to TLSv1.3, and probably affects several users of the package. But if it's a lot of work to push a backport then yeah I guess it might not be worth it. In any case, I think I found an improvement to the workaround suggested earlier. 1) Copy /etc/ssl/openssl.cnf to /etc/icinga2/openssl.cnf 2) Add "MaxProtocol = TLSv1.2" under "[system_default_sect]" 3) Add "OPENSSL_CONF=/etc/icinga2/openssl.cnf" to /etc/defaults/icinga2 4) Restart the Icinga2 service What this does is configure the OpenSSL library use only TLSv1.2, but only for Icinga2 and not all system services. As soon as I implemented this on the master, all problematic clients reconnected immediately. If this holds up then I'm satisfied to wait for the release of bullseye to upgrade to 2.12, otherwise I'll report back here. Thanks for your work on this package, much appreciated! -- Jerome OpenPGP_signature Description: OpenPGP digital signature
Bug#950167: [Pkg-nagios-devel] Bug#950167: icinga2-bin - Racy timeout in API: No data received on new API connection
On 3/27/21 8:22 PM, Jerome Charaoui wrote: > I also have this problem on a medium icinga2 installation, about 50 > hosts and 1 master. Every day almost, clients are intermittently losing > the connection to the master, it very annoying and seriously affecting > the useability of this package on buster. > > Disabling TLS 1.3 system-wide is not a workaround that we can deploy. I > don't think anyone should be doing that, either... > > Would it be possible to publish a backport to buster to fix this? With the release of bullseye on the horizon, that's probably not worth the effort. Why not rebuild the 2.12.3 package for buster yourself? Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Bug#950167: [Pkg-nagios-devel] Bug#950167: icinga2-bin - Racy timeout in API: No data received on new API connection
Control: tags -1 moreinfo On 1/29/20 7:34 PM, Bastian Blank wrote: > I haven't tested anything newer yet. The network stack was rewritten in 2.11, it may fix your issue. You could try rebuilding 2.11.2 for buster. Can you provide the steps to reproduce the issue? Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
