Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18159

TLS handshake fails with 5.-Server after cert was temporary enabled - probably TLSv1.3 session reuse

    XMLWordPrintable

Details

    • Problem report
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • None
    • None
    • Server (S)
    • None

    Description

      Steps to reproduce:

      1. add host in zabbix server 5.0.2 with only active checks and PSK authentication

       

      server.conf is

       

      AlertScriptsPath=/usr/lib/zabbix/alertscripts
      CacheSize= 512M 
      DBHost=localhost
      DBName=zabbix
      DBPassword=known
      DBUser=zabbix
      ExternalScripts=/storage/externalscripts
      Fping6Location=/usr/bin/fping6
      FpingLocation=/usr/bin/fping
      HistoryCacheSize=512M
      HistoryIndexCacheSize=128M
      LogFileSize=0
      LogFile=/var/log/zabbix/zabbix_server.log
      LogSlowQueries=3000
      PidFile=/var/run/zabbix/zabbix_server.pid
      SSHKeyLocation=/storage/.ssh
      StartIPMIPollers=20
      StartPingers=10
      StartPollers=700
      StartDiscoverers=20
      StartPollersUnreachable=70
      StartTrappers=100
      Timeout=10
      TrendCacheSize=128M
      ValueCacheSize=1G
      JavaGateway=127.0.0.1
      JavaGatewayPort=10052
      StartJavaPollers=5
      #TLSCAFile=/etc/zabbix/ca.pem
      #TLSCertFile=/etc/zabbix/cert.pem
      #TLSKeyFile=/etc/zabbix/key.pem
      
      1. setup client with

      TLSAccept=psk
      TLSPSKIdentity=Key1
      TLSPSKFile=/etc/zabbix/key.psk

       

      Monitor zabbix_server.log:

       

      8510:20200729:111900.275 failed to accept an incoming connection: from IPV6-ADDRESS: TLS handshake set result code to 1: file ../ssl/statem/extensions.c line 1604: error:141FA0FD:SSL routines:tls_psk_do_binder:binder does not verify: TLS write fatal alert "illegal parameter"

       

       

      Looks like it has to do with TLSv1.3 session reusage.

      Both Server and Client is Ubuntu 18.

      # zabbix_server -V
      zabbix_server (Zabbix) 5.0.2
      Revision 352ca05870 13 July 2020, compilation time: Jul 13 2020 07:00:00Copyright (C) 2020 Zabbix SIA
      License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
      This is free software: you are free to change and redistribute it according to
      the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
      for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1  11 Sep 2018
      Running with OpenSSL 1.1.1  11 Sep 2018
       

       

      zabbix_agentd -V
      zabbix_agentd (daemon) (Zabbix) 4.0.23
      Revision 9f3d212e4a 27 July 2020, compilation time: Jul 27 2020 07:00:00Copyright (C) 2020 Zabbix SIA
      License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
      This is free software: you are free to change and redistribute it according to
      the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
      for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1  11 Sep 2018
      Running with OpenSSL 1.1.1  11 Sep 2018
      

       

      It started at the time, we accepted for testing purpose and just for a few minutes,  on server side also CERT-based authentication in addition to PSK. Before that, we had no log issues like the one above.

       

       

      Server still receives data from client. It currently "only" floods our log-files massively.

      Attachments

        Activity

          People

            zabbix.support Zabbix Support Team
            siegmarb Stefan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated: