Support
Scan Agents

Troubleshooting agent issues

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Q: How can I fix the SSL issues in Linux agents?

A: Invicti improved its internal agents by incorporating the specific version of .NET framework they require to run. This development has been in place since the 7th of December 2022 release. After this date, any internal agents contain the necessary .NET framework. 

This means that you no longer need to update .NET on your environment to use Invicti’s internal agents. Nevertheless, it is important to note that you may need to keep track of any changes that Microsoft makes. 

For instance, in .NET 5, Linux now adheres to OpenSSL’s default cipher suite configuration when it is specified in openssl.cnf. (For further information, see Breaking change: Default TLS cipher suites for .NET on Linux – .NET | Microsoft Learn

So, this breaking change means that you need to change the OpenSSL configuration file on your environment. This change is required, as the default OpenSSL does not allow weak ciphers. That restriction prevents Invicti from scanning websites with the weak cipher. 

How to modify the OpenSSL configuration file
  1. Open a terminal.
  2. Enter the following command: sudo vi /etc/ssl/openssl.cnf
  3. Copy the following command and paste it at the beginning of the openssl.cnf file: openssl_conf = default_conf
  1. Scroll down to the end of the file.
  2. Copy and paste the following command:
    [default_conf]
    ssl_conf = ssl_sect
    [ssl_sect]
    system_default = system_default_sect
    [system_default_sect]
    CipherString = DEFAULT:@SECLEVEL=0
  1. Save and close the file.