-
Problem report
-
Resolution: Unresolved
-
Trivial
-
None
-
None
-
None
-
None
-
1
Steps to reproduce:
- Build Zabbix agents, one with OpenSSL, one with GnuTLS
- Use openssl command-line tool to generate set of certificates, fill emailAddress field
- Setup Zabbix encryption with generated certificates
- See if connection between Zabbix server/proxy/agent is successful
Result:
Documentation (https://www.zabbix.com/documentation/4.0/manual/encryption/using_certificates) mentions options for openssl tool that can be used to extract proper Issuer and Subject strings from the certificate for use in Zabbix. When using these options with certificate that contains emailAddress, it doesn't alway work when GnuTLS is involved.
When testing on macOS (ZBXNEXT-1348), Zabbix agent had to refer to e-mail address field to either as emailAddress or as EMAIL, depending on the library. Latest versions of libraries were used, they were built from sources and linked statically.
When using with OpenSSL, zabbix_agentd.conf had to include:
[email protected],CN=root,OU=ZabbixDev,O=Zabbix,L=LV,ST=LV,C=LV
When using with GnuTLS, zabbix_agentd.conf had to include:
[email protected],CN=root,OU=ZabbixDev,O=Zabbix,L=LV,ST=LV,C=LV
More testing is required to find out if it's macOS related or platform-independent.
More testing is required to find out which components (agent, proxy, server) are affected.
Either this difference between OpenSSL and GnuTLS should be mentioned in documentation, or code should be updated to handle this difference.