Werk #19431: Windows agent controller: Fix registration against TLS 1.3-only servers
| Component | Checks & agents | ||||||
| Title | Windows agent controller: Fix registration against TLS 1.3-only servers | ||||||
| Date | Apr 22, 2026 | ||||||
| Level | Trivial Change | ||||||
| Class | Bug Fix | ||||||
| Compatibility | Compatible - no manual interaction needed | ||||||
| Checkmk versions & editions |
|
Previously, the Windows Checkmk agent controller (cmk-agent-ctl.exe) failed to
register against Checkmk servers that only accept TLS 1.3. The initial call to
the server's REST API — used to discover the agent receiver port — aborted with
an error like:
error trying to connect: ... (os error -2146893054)
(SEC_E_UNSUPPORTED_FUNCTION, returned by Windows SChannel.)
This has been fixed. The agent controller can now register against TLS 1.3-only servers on Windows.
Workaround for older versions
If you cannot update the agent controller, you can bypass the failing port
discovery step by specifying the agent receiver port directly in the --server
argument of register, e.g.:
cmk-agent-ctl.exe register --server <server>:8000 --site <site> ...
The subsequent calls to the agent receiver use a different TLS backend and are not affected by the issue.
Technical background
The port discovery call and the subsequent communication with the agent receiver use different TLS backends. On Windows, the backend used for port discovery did not enable TLS 1.3 in its SChannel configuration, so the handshake with a TLS 1.3-only server failed before any cipher could be negotiated.
The issue has been fixed by updating the responsible Rust dependency to its latest version. Linux builds of the agent controller are unaffected.