Disable weak SSL about oms-agent-for-linux HOT 11 CLOSED

Hello. Thanks for reporting this issue. I'm happy to help out here, but can you clarify what target (and port) you are scanning? Is this the Linux agent?

from oms-agent-for-linux.

Hi,

this is popping up on port 1270, which I believe is this agent.

[centos@hfd-cr-pweb1 ~]$ sudo netstat -tlupn|grep 1270
tcp 0 0 0.0.0.0:1270 0.0.0.0:* LISTEN 1204/omiserver

Thanks,
Eric

from oms-agent-for-linux.

@rubeon That's very strange. I would not expect port 1270 to be exposed unless the Operations Manager client was previously installed on this machine.

If you edit file /etc/opt/omi/conf/omiserver.conf and change HTTPSPORT to 0, then the OMS agent will no longer listen on port 1270. You don't need OMS to be listening for external connections to collect data on the local system (unless you're using the Operations Manager client on the same system).

from oms-agent-for-linux.

Also, if you are using Operations Manager and require TCP port 1270, you can control ciphers and SSLv3 behavior in the omiserver.conf file. NoSSLV3 is a Boolean property to toggle SSLv3 support and sslciphersuite= allows you to specify a standard OpenSSL cipher suite list (like you would for Apache's mod_ssl).

from oms-agent-for-linux.

Looks like this gets installed by the diagnostics extension in Azure. If Azure doesn't need this to be listening on port 1270, it should probably be disabled by default.

Thanks

from oms-agent-for-linux.

The intent, when Azure installs the diagnostic extension, is that it is NOT listening on port 1270.

Thanks for raising this issue, I'll bring it up with the Azure folks.

from oms-agent-for-linux.

I have committed the above fix, although the Azure team has opted to edit omiserver.conf themselves to not expose the port.

This problem should be fixed in an upcoming Azure agent release.

from oms-agent-for-linux.

I want to disable DES and 3DES sslCipherSuite in omiserver for port 1270 but it is not happening. I think, I didn't get proper syntax that used in omiserver.conf. Can anyone help me.
thanks.

from oms-agent-for-linux.

The syntax for sslCipherSuite is identical to what the Apache HTTPD Server uses.

from oms-agent-for-linux.

from oms-agent-for-linux.

Your message isn't clear to me at all, sorry:

1. What is the EXACT line that you've added to omiserver.conf? The format of the line above is not correct.
2. You say that you're trying to disable DES/3DES, and then when you try to test, OMI rejects. Isn't this correct?
3. You say the same issue has been solved for port 443 by changing ssl.conf file. I'm not sure exactly what file you mean, but SSL doesn't drive port 443. Port 443 is an HTTPS port.

Finally, this repository isn't really the proper repository for OMI issues. Please open a new issue (with all questions above clearly addressed) to the OMI repository. That way, all of the OMI developers can chip in. I just happen to monitor the OMS issues, but OMS isn't the project I work on. Thanks for your understanding.

from oms-agent-for-linux.