Deployment of configuration files over TLSv1.2-only webserver not working

daooze commented 3 years ago

Issue and Steps to Reproduce

We are running a simple webserver to have a central repository for different configuration files, scripts and tools used by nscp. Distribution over http works like a charm but we are now required to secure the connections. This involves switching from http to https and also the hardening of the TLS protocol. nscp seems to only support TLSv1.0 (maybe SSL2/3, not checked) and a bunch of deprecated ciphers. Our webservers are only allowed to support TLSv1.2 and above with ECDH-based ciphers.

Please update NSCP to use this modern protocol and ciphers for downloading its configuration files from a webserver.

Expected Behavior

NSCP should be able to download configuration files and attachments from a webserver that supports TLSv1.2 and above.

Actual Behavior

SSL handshake fails.

Details

NSClient++ version: 0.5.2.35
OS and Version: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows 10 v1909
Checking from: Icinga
Checking with: check_nrpe

Additional Details

none

Edit: Typo

mickem commented 3 years ago

Sounds reasonable.

daooze commented 8 months ago

Just saw today in your latest nightly build that you have switched to OpenSSL 1.1.1q. Will you fix this current issue in the near future? Maybe make the whole "config-files-from-webserver" configurable with the ciphers and protocol versions one needs??

mickem commented 8 months ago

I have currently upgraded all raw libs and there are a lot of new features in this area so I would expect updates here as well. But there are a lot of others things as well so I would not expect anything in the next few weeks, but hopefully before the end of the year...

mickem / nscp