Centreon Monitoring Agent uses TLSv1.0 on Windows 10 VM with TLSv1.2 enabled and TLSv1.0 disabled

Question

I am attempting to monitor a Windows 10 host with CMA. The packet capture shows that the agent attempts to establish an encrypted connection using TLS 1.0 but is rejected during the handshake by the poller.

How can I change the protocol used by the CMA to TLS 1.2?

My config is as follows:

Host to be monitored :

OS: Windows 10
Agent version : 24.10.0
Configuration :
- Poller endpoint : 192.168.122.64
- Poller-initiated connection : NO
- Encryption : YES
- Trusted CA’s certificate file : ADDED
IP : 192.168.122.124
Enabled SSL protocols : TLSv1.2

Poller (Central used as poller) :

OS: Almalinux 9
Centreon version : 24.10.3
IP : 192.168.122.64
Enabled SSL protocols : TLSv1.1, TLSv1.2, TLSv1.3

Extract from CMA log file :

p2025-03-18 16:30:06.847] 0centreon-monitoring-agent] -info] main_win.cc:169] centreon-monitoring-agent start /2025-03-18 16:30:06.848] 0centreon-monitoring-agent] -debug] [grpc_client.cc:51] client this=0x829eea7080 activate compression deflate /2025-03-18 16:30:06.848] 0centreon-monitoring-agent] -info] grpc_client.cc:67] encrypted connection to 192.168.122.64:4317 cert: ..., key: ..., ca: -----BEGIN... r2025-03-18 16:30:06.877] 0centreon-monitoring-agent] ninfo] tscheduler.cc:160] schedule 0 checks to execute in 1s r2025-03-18 16:30:06.877] 0centreon-monitoring-agent] ndebug] ]bireactor.cc:51] create client this=0x829ef37610 peer:192.168.122.64:4317 r2025-03-18 16:30:06.981] 0centreon-monitoring-agent] nerror] ]bireactor.cc:99] 0x829ef37610 client peer:192.168.122.64:4317 fail read from stream b2025-03-18 16:30:06.981] 3centreon-monitoring-agent] ierror] tbireactor.cc:146] 0x829ef37610 client peer 192.168.122.64:4317 fail write to stream m2025-03-18 16:30:06.981] 6centreon-monitoring-agent] odebug] ebireactor.cc:196] 0x829ef37610 client::shutdown

Failed handshake

TLS 1.2 configured on Windows 10 VM

Observation :

I understand it may be possible to install the necessary openssl stack on the Poller so TLSv1.0 is supported; however for the use-case at hand, TLSv1.0 is not a viable option. Thus the need to make TLSv1.2 work.

Page 1 / 1

Additional info; I omitted one important bit of the CMA logs :

[2025-03-19 17:52:48.424] [centreon-monitoring-agent] [error] [bireactor.cc:187] 0x71e3b63a0 peer:192.168.122.64:4317 client::OnDone(failed to connect to all addresses; last error: UNKNOWN: ipv4:192.168.122.64:4317: Ssl handshake failed: SSL_ERROR_SSL: error:0A00010B:SSL routines::wrong version number)

Reply

uneric1 · Answer

Additional info; I omitted one important bit of the CMA logs :

[2025-03-19 17:52:48.424] [centreon-monitoring-agent] [error] [bireactor.cc:187] 0x71e3b63a0 peer:192.168.122.64:4317 client::OnDone(failed to connect to all addresses; last error: UNKNOWN: ipv4:192.168.122.64:4317: Ssl handshake failed: SSL_ERROR_SSL: error:0A00010B:SSL routines::wrong version number)

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded