Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CROWDSTRIKE] TLS Negotation issues on Alpine 3.17 (OpenSSL 3.0) UNSAFE_LEGACY_RENEGOTIATION_DISABLED #1118

Closed
MaxwellDPS opened this issue Apr 28, 2023 · 1 comment
Closed

[CROWDSTRIKE] TLS Negotation issues on Alpine 3.17 (OpenSSL 3.0) UNSAFE_LEGACY_RENEGOTIATION_DISABLED #1118

MaxwellDPS opened this issue Apr 28, 2023 · 1 comment
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 6.2.9

Comments

@MaxwellDPS
Copy link

Description

Alpine 3.17 causes an intermittent UNSAFE_LEGACY_RENEGOTIATION_DISABLED

See dotnet/dotnet-docker#4332 (comment)

Environment

  1. OS (where OpenCTI server runs): CentOS Stream 9
  2. OpenCTI version: 5.7.2
  3. OpenCTI client: Python (Connector SCOPE)
  4. Other environment details: Kubernetes deployment

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Run the CS connector on CENT OS Stream 9 w/ containerd and Alpine 3.17
  2. Sadness

Expected Output

Correct TLS negotiation

Actual Output

{"timestamp": "2023-04-28T19:48:26.834518Z", "level": "ERROR", "name": "pycti.connector", "message": "CrowdStrike connector internal error: HTTPSConnectionPool(host='api.crowdstrike.com', port=443): Max retries exceeded with url: /intel/combined/reports/v1(Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)')))"}

Additional information

This should fix it

RUN sed -i 's/providers = provider_sect/providers = provider_sect\n\
ssl_conf = ssl_sect\n\
\n\
[ssl_sect]\n\
system_default = system_default_sect\n\
\n\
[system_default_sect]\n\
Options = UnsafeLegacyRenegotiation/' /etc/ssl/openssl.cnf

Screenshots (optional)
@MaxwellDPS
Copy link
Author

May also be worth the lift to migrate to the official client -> https://github.com/CrowdStrike/falconpy

@SamuelHassine SamuelHassine added this to the Release 5.11.0 milestone Aug 26, 2023
@SamuelHassine SamuelHassine added the feature use for describing a new feature to develop label Aug 26, 2023
@Jipegien Jipegien modified the milestones: Release 5.13.0, Short-term candidates Nov 7, 2023
@Jipegien Jipegien removed this from the Short-term candidates milestone Apr 23, 2024
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Jul 31, 2024
@SamuelHassine SamuelHassine added this to the Release 6.2.9 milestone Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 6.2.9
Development

No branches or pull requests
3 participants
@SamuelHassine @MaxwellDPS @Jipegien