Quote from: Staj on November 26, 2020, 12:55:42 PM
Can you explain how https://github.com/openssl/openssl/issues/12859 affects nxagentd and the downgrade to TLS 1.1?
If certificate has exportable private key then agent will get the private key and use standard OpenSSL mechanisms instead of CNG engine for session authentication. In that case TLS 1.3 will be used if server supports it. If private key cannot be exported then agent will switch to TLS 1.1 and use CNG engine for authentication.
Quote from: Staj on November 26, 2020, 12:55:42 PM
Looking at the code, it will find a Certificate in the SYSTEM Personal Certificate based on matching Friendly Name, Email, Subject, Template, Common Name, Org or Device Serial (in that order)? How does one specify what the agent should consider a match?
EDIT:
Tunnel::createFromConfig and ParseTunnelList seems to have the answer:QuoteRecord format is address[:port][,certificate[,password]]Records meaning the configured MasterServers, ControlServers and Servers. So I guess an example would be:Code SelectMasterServers = 10.0.0.1,ADCSTemplNetXMS
Assuming ADCSTemplNetXMS was the name of a Certificate Template (Eg: Certificate issued by ADCS)?
Not exactly. Tunnel connections configured using ServerConnection parameters, so it will be
Code Select
ServerConnection = 10.0.0.1, certificate_matching_string
Certificate matching string consists of selector and value separated by :. Possible selectors are:
name - certificate's friendly name (display name) in store
email - EMail portion of certificate DN
subject - certificate's subject
template - template OID (not template name!)
cn - CN part of certificate's DN
org - ORG part of certificate's DN
deviceSerial - device serial number
so for example for certificate with friendly name "NetXMS Server" it will be
Code Select
ServerConnection = 10.0.0.1, name:NetXMS Server
If you are interested, relevant code is in file src/agent/core/cng_engine.cpp, function MatchWindowsStoreCertificate.
Best regards,
Victor