Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-11101

CA certificate with empty Subject & Issuer make Zabbix server fail

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.4
    • Fix Version/s: 3.0.8rc1, 3.2.4rc1, 3.4.0alpha1
    • Component/s: Proxy (P), Server (S)
    • Labels:
    • Environment:
      Debian Jessie, zabbix-server-mysql with configure option --with-openssl

      Description

      While testing Zabbix Server TLS support, I noticed strange logs when connecting to it:

      zabbix_server [32180]: ERROR [file:proxy.c,line:2039] Something impossible has just happened.

      Items are well received, Zabbix server always answer succees, but all items are trashed:

      {'info': 'processed: 0; failed: 1; total: 1; seconds spent: 0.000117', 'response': 'success'}

      With DebugLevel >=4 it's even worse. Connection is interrupted without any answer from Zabbix server. Here are the Zabbix Server logs:

      32438:20160816:134050.267 log level has been increased to 4 (debug)
      32438:20160816:134050.268 __zbx_zbx_setproctitle() title:'trapper #1 [processed data in 0.000000 sec, waiting for connection]'
      32438:20160816:134054.865 In zbx_tls_accept()
      32438:20160816:134054.886 End of zbx_tls_accept():FAIL error:''
      32438:20160816:134054.886 failed to accept an incoming connection: from 127.0.0.1: (null)
      32438:20160816:134054.886 __zbx_zbx_setproctitle() title:'trapper #1 [processed data in 0.000000 sec, waiting for connection]'

      I tried with another CA+certificate (home made): everything worked well.

      The only difference is that my first set of certificate used a home made CA which has an empty issuer & subject.
      That sounds weird, but can be easily reproduced with openssl.

      Zabbix Server doesn't complain about this strange CA certificate during startup (not sure it should though)
      Zabbix Server behave differently between DebugLevel 3 & 4 (it clearly shouldn't)

      How to reproduce it

      openssl.cnf

      dir = ~/test_ca
      default_days = 3650
      
      [ req_distinguished_name ]
      countryName_default =
      stateOrProvinceName_default =
      localityName_default =
      0.organizationName_default =
      organizationalUnitName_default =
      commonName_default =
      emailAddress_default =
      
      [req]
      distinguished_name = req_distinguished_name
      x509_extensions	= v3_ca
      
      [ v3_ca ]
      subjectKeyIdentifier=hash
      authorityKeyIdentifier=keyid:always,issuer
      basicConstraints = CA:true

      Create the CA certificate with:

      openssl req -new -x509 -days 3650 -extensions v3_ca -nodes -newkey rsa:4096 -subj '/' -keyout ~/test_ca/private/cakey.pem -out ~/test_ca/cacert.pem -config ~/test_ca/openssl.cnf

      Then create one certificate for Zabbix Server signed with this CA and another one for the client, configure both server and client, use them.
      You're done

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jbfavre Jean Baptiste Favre
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: