Details
-
Type:
Defect (Security)
-
Status: Closed
-
Priority:
Trivial
-
Resolution: Fixed
-
Affects Version/s: 3.0.27
-
Fix Version/s: 3.0.29rc1, 4.0.14rc1, 4.2.8rc1, 4.4.1rc1, 5.0.0alpha1, 5.0 (plan)
-
Component/s: Agent (G), Proxy (P), Server (S)
-
Labels:
-
Team:Team A
-
Sprint:Sprint 56 (Sep 2019), Sprint 55 (Aug 2019), Sprint 57 (Oct 2019)
-
Story Points:1
Description
Steps to reproduce:
- Configure zabbix_agentd.conf with TLS using certificate, for example:
- TLSConnect=cert
- TLSAccept=cert
- TLSCAFile=/path/zabbix_ca_file
- TLSServerCertIssuer=CN=Signing CA,OU=development,O=Zabbix,DC=zabbix,DC=com
- TLSServerCertSubject=CN=proxy,OU=development,O=Zabbix,DC=zabbix,DC=com
- TLSCertFile=/path/zabbix_agentd.crt
- TLSKeyFile=/path/zabbix_agentd.key
- Configure host in frontend with TLS, Certificate.
- Run server and agent.
Result:
Agent does not notice that server certificate has the issuer and subject other than required by agent configuration (validation is broken).
Expected:
Agent refuses to talk to server which has other certificate issuer/subject than configured in zabbix_agentd.conf.