Modify ciphers for icinga2 api

We have come across a vulnerability where our servers does not offer SSL/TLS cipher suites that support forward secrecy (FS). We need configure the cipher suite that is ECDHE based for API connections which endpoints make with master server on port 5665.

Please let me know if any more details are required.

  • Version used (r2.10.4-1)
  • Operating System and version: CentOS Linux release 7.8.2003 (Core)
  • Enabled features (api checker command compatlog debuglog ido-mysql livestatus mainlog notification statusdata)
  • Icinga Web 2 Version: 2.8.3
  • Icinga Web 2 Modules: doc, monitoring
  • Config validation:
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 972 Services.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 LivestatusListener.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 IcingaApplication.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 55 Hosts.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 EventCommand.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 2 FileLoggers.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 785 Dependencies.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 4 NotificationCommands.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1027 Notifications.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 NotificationComponent.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 233 HostGroups.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 ApiListener.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 3 Comments.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 CheckerComponent.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 9 Zones.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 StatusDataWriter.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 ExternalCommandListener.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 12 Endpoints.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 ApiUser.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 CompatLogger.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 3 Users.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 277 CheckCommands.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 1 UserGroup.
    [2022-09-14 15:52:50 +0000] information/ConfigItem: Instantiated 2 TimePeriods.
    [2022-09-14 15:52:50 +0000] information/ScriptGlobal: Dumping variables to file ‘/var/cache/icinga2/icinga2.vars’
    [2022-09-14 15:52:50 +0000] information/cli: Finished validating the configuration file(s).

The ApiListener has a cipher_list attribute.

you can use this to limit ciphers on each icinga agent / master node