Merge pull request #732 from Icinga:feature/improve_api_performance_and_enable_tls13

LordHepipud · web-flow · commit 824b8a231a4c · 2024-05-15T13:47:45.000+02:00
Feature: Adds support to TLS1.3 and improves startup response

Adds support for both, TLS 1.2 and TLS 1.3 while also improving the response of the API for initial startup, by redirecting all calls to thread 0 if not all threads are loaded
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -11,6 +11,8 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 
 [Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/32)
 
+* [#732](https://github.com/Icinga/icinga-powershell-framework/pull/732) Adds support for TLS 1.3 and improves startup response
+
 ## 1.12.3 (2024-04-24)
 
 [Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/35)
diff --git a/lib/daemons/RestAPI/daemon/New-IcingaForWindowsRESTApi.psm1 b/lib/daemons/RestAPI/daemon/New-IcingaForWindowsRESTApi.psm1
@@ -121,9 +121,9 @@ function New-IcingaForWindowsRESTApi()
             Write-IcingaDebugMessage -Message 'Scheduling Icinga for Windows API request' -Objects 'REST-Thread Id', $NextRESTApiThreadId;
 
             if ($Global:Icinga.Public.Daemons.RESTApi.ApiRequests.ContainsKey($NextRESTApiThreadId) -eq $FALSE) {
-                Close-IcingaTCPConnection -Connection $Connection;
-                $Connection = $null;
-                continue;
+                # Ensure we allow API calls to be executed even in case not all threads are loaded
+                # This will increase responsiveness of the API
+                $NextRESTApiThreadId = 0;
             }
 
             $Global:Icinga.Public.Daemons.RESTApi.ApiRequests.$NextRESTApiThreadId.Add($Connection);
diff --git a/lib/webserver/New-IcingaSSLStream.psm1 b/lib/webserver/New-IcingaSSLStream.psm1
@@ -12,8 +12,9 @@ function New-IcingaSSLStream()
     [System.Net.Security.SslStream]$SSLStream = $null;
 
     try {
-        $SSLStream = New-Object System.Net.Security.SslStream($Client.GetStream(), $false);
-        $SSLStream.AuthenticateAsServer($Certificate, $false, [System.Security.Authentication.SslProtocols]::Tls12, $true) | Out-Null;
+        $SSLStream    = New-Object System.Net.Security.SslStream($Client.GetStream(), $false);
+        $TLSProtocols = [System.Security.Authentication.SslProtocols]::Tls12 -bor [System.Security.Authentication.SslProtocols]::Tls13;
+        $SSLStream.AuthenticateAsServer($Certificate, $false, $TLSProtocols, $true) | Out-Null;
     } catch {
         if ($null -ne $SSLStream) {
             $SSLStream.Close();
