[ZBX-16750] Broken validation of peer certificate issuer/subject in TLS connect: check always succeeds - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Trivial
Resolution: Fixed
Affects Version/s: 3.0.27
Fix Version/s: 3.0.29rc1, 4.0.14rc1, 4.2.8rc1, 4.4.1rc1, 5.0.0alpha1, 5.0 (plan)
Component/s: Agent (G), Proxy (P), Server (S)
Labels:

Team:
Team A
Sprint:
Sprint 56 (Sep 2019), Sprint 55 (Aug 2019), Sprint 57 (Oct 2019)
Story Points:
1

Description

Steps to reproduce:

Configure zabbix_agentd.conf with TLS using certificate, for example:
- TLSConnect=cert
- TLSAccept=cert
- TLSCAFile=/path/zabbix_ca_file
- TLSServerCertIssuer=CN=Signing CA,OU=development,O=Zabbix,DC=zabbix,DC=com
- TLSServerCertSubject=CN=proxy,OU=development,O=Zabbix,DC=zabbix,DC=com
- TLSCertFile=/path/zabbix_agentd.crt
- TLSKeyFile=/path/zabbix_agentd.key
Configure host in frontend with TLS, Certificate.
Run server and agent.

Result:
Agent does not notice that server certificate has the issuer and subject other than required by agent configuration (validation is broken).

Expected:
Agent refuses to talk to server which has other certificate issuer/subject than configured in zabbix_agentd.conf.

Attachments

Activity

People

Assignee:: Andris Mednis

Reporter:: Andris Mednis

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019 Aug 20 18:08

Updated:: 2020 Jul 16 14:10

Resolved:: 2019 Oct 15 10:54