9.99 and older OS (10.8)

seann
Contributor

Hello

We upgraded our JSS from 9.96 to 9.99 the other day. Now our Mountain Lion machines stopped checking in. The error we receive is "An SSL error has occurred and a secure connection to the server cannot be made." syslog confirms this same error. However the cert looks OK when using a browser, and SSL Certificate Validation is not turned on in Settings.

We suspect the problem may be with tomcat and the ciphers used (judging from server.xml and its backup)

Attempting to re-enroll with an updated quickadd fails but this may be expected due to deprecations.

I tried searching but found zip. Anyone seen this before?

14 REPLIES 14

ImAMacGuy
Valued Contributor II

it appears mine are not either.

cbrewer
Valued Contributor II

Don't have many left, but the few 10.8's we have appear to be checking in fine. I can see that they upgraded their binary to 9.99.0-t1494340586+LEG.

dgreening
Valued Contributor II

We don't have many left either, but they are checking in just fine.

ImAMacGuy
Valued Contributor II

I think mine broke from a different jamf upgrade, my jamf binary file was 0 bytes.

removed /usr/local/jamf and then reloaded the 9.99 quick add and it started working again.

seann
Contributor

Our binaries never upgraded at all. It seems like all the 10.8 machines lost communication due to the SSL error after upgrading to 9.99.

FWIW we're running RHEL 6.8.

Sandy
Valued Contributor II

Might want to take a peek at this article:
https://www.jamf.com/jamf-nation/articles/222/preventing-the-jamf-binary-from-updating
Which now has this info at the top of the window:
Important: This process is only applicable to the JSS v9.73 or earlier. As of the JSS v9.8, policies will no longer run on a computer that has an older version of the jamf binary installed. The JSS will only run policies on a computer if the version of the jamf binary is the same version as the JSS. If you followed the workflow highlighted in this article to prevent the jamf binary from updating on a computer and you plan to upgrade the JSS to v9.8 or later, you will need to manually remove the do_not_upgrade_jamf preference to re-enable policies on that computer.

duncan_wright
New Contributor II

I have, but you know that already. The issue lies with TLS 1.0 and 10.8 and earlier clients.

With TLS 1 disabled in /usr/local/jss/tomcat/conf/server.xml, the 10.8 and older systems cannot establish a secure ssl connection. With TLS 1.0 enabled, they can.

What's really odd about this is that I'm 99.9% certain we had disabled TLS 1.0 a year ago, and we disabled all the remaining 64-bit ciphers in April, in response to the SWEET32 birthday attack vulnerabilities. Through all of that, the pre-10.9 systems were still able to connect. After the 9.99.0 upgrade that seems to have changed. Tomcat was upgraded to 8.0.43 as part of the 9.99.0 upgrade.

It's very possible I'm crazy, and I hadn't disabled TLS 1.0 previously, or that I changed the configuration but never restarted tomcat. That seems super unlikely, since I'm sure we've restarted tomcat on the JSS a dozen times in the last year.

This puts us in a the position of either needing a solution to allow 10.8 and earlier systems to communicate with the JSS over TLS 1.1 or 1.2 or a very short timeline for EOLing all the older systems.

duncan_wright
New Contributor II

NB: the issue we are experiencing is not a binary-specific issue. The binary is unable to establish a secure SSL connection to the JSS without TLS 1.0 enabled. Attempting to enroll one of these systems with a 9.99.0 QuickAdd results in a failure as well, and the log indicates the same issue: SSL connection cannot be established.

seann
Contributor

@Sandy Thanks but that isn't the root cause. We get the message "An SSL error has occurred and a secure connection to the server cannot be made." (The do_not_upgrade flag was a cause of some problems about a year ago with a prior upgrade, despite us not setting it.)

rcorbin
Contributor II

Just looked through a few of our 10.8 machines and many seem to be checking in and have upgraded to 9.99.0-t1494340586+LEG.
I do have a number that are not checking in but I think those were lost during a different upgrade.

bentoms
Release Candidate Programs Tester

It's possible that the TLS1 ciphers were in use before due to JDS & that is why 10.8 works for some & not others (see this)

seann
Contributor

@bentoms Thanks. FWIW, we disabled TLS1 a while back but everything was working, even older OSes. The 9.99 upgrade is when we had the problems, but re-enabling TLS1 yesterday allowed the 10.8 machines to communicate and upgrade the binary. So, work in progress, as I don't want to keep TLS1 enabled, and need to eliminate these 10.8 machines...

bentoms
Release Candidate Programs Tester

@seann ah cool.. just a thought :)

seann
Contributor

Support confirmed that TLS1 is needed for 10.8 machines. Not sure why they were working prior to the 9.99 update with TLS1.0 turned off, but that's the official word.