Werk #17101: Use OpenSSL's default cipher suites for TLS
| Component | Checks & agents | ||||
| Title | Use OpenSSL's default cipher suites for TLS | ||||
| Date | Jun 12, 2025 | ||||
| Level | Trivial Change | ||||
| Class | Bug Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
In Checkmk 2.4.0, Python and urllib3 were upgraded, which made TLS connections more restrictive. In some configurations, special agents could no longer connect to older hosts with legacy TLS configurations.
We now configure Python to use OpenSSL’s default cipher suites, which is less restrictive.
If you still encounter TLS connection failures, the problem might be that OpenSSL refuses to connect to very old configurations. We published a blog post with the release of Checkmk 2.3.0 that can still provide valuable insight here: https://checkmk.com/blog/how-monitor-servers-broken-tls-checkmk.
In addition to that, the following commands may help you debug the issue:
- use nmap to see what cipher suites and TLS versions your monitored host accepts:
nmap --script +ssl-enum-ciphers -p PORT HOST - try to connect directly to the host with the site's OpenSSL:
./version/bin/openssl s_client -connect HOST:PORT - if this fails, allow OpenSSL to use insecure configurations:
./version/bin/openssl s_client -connect HOST:PORT -cipher 'ALL:@SECLEVEL=0'(if that succeeds, refer to the blog post linked above) - finally, you can check what configurations Checkmk / Python will accept when connecting to a host with:
python -c 'import pprint, ssl; pprint.pprint(["{}: {}".format(c["protocol"], c["name"]) for c in ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT).get_ciphers()])'