Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18159

TLS handshake fails with 5.-Server after cert was temporary enabled - probably TLSv1.3 session reuse

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • None
    • Server (S)
    • None

      Steps to reproduce:

      1. add host in zabbix server 5.0.2 with only active checks and PSK authentication

       

      server.conf is

       

      AlertScriptsPath=/usr/lib/zabbix/alertscripts
CacheSize= 512M 
DBHost=localhost
DBName=zabbix
DBPassword=known
DBUser=zabbix
ExternalScripts=/storage/externalscripts
Fping6Location=/usr/bin/fping6
FpingLocation=/usr/bin/fping
HistoryCacheSize=512M
HistoryIndexCacheSize=128M
LogFileSize=0
LogFile=/var/log/zabbix/zabbix_server.log
LogSlowQueries=3000
PidFile=/var/run/zabbix/zabbix_server.pid
SSHKeyLocation=/storage/.ssh
StartIPMIPollers=20
StartPingers=10
StartPollers=700
StartDiscoverers=20
StartPollersUnreachable=70
StartTrappers=100
Timeout=10
TrendCacheSize=128M
ValueCacheSize=1G
JavaGateway=127.0.0.1
JavaGatewayPort=10052
StartJavaPollers=5
#TLSCAFile=/etc/zabbix/ca.pem
#TLSCertFile=/etc/zabbix/cert.pem
#TLSKeyFile=/etc/zabbix/key.pem
      1. setup client with

      TLSAccept=psk
      TLSPSKIdentity=Key1
      TLSPSKFile=/etc/zabbix/key.psk

       

      Monitor zabbix_server.log:

       

      8510:20200729:111900.275 failed to accept an incoming connection: from IPV6-ADDRESS: TLS handshake set result code to 1: file ../ssl/statem/extensions.c line 1604: error:141FA0FD:SSL routines:tls_psk_do_binder:binder does not verify: TLS write fatal alert "illegal parameter"

       

       

      Looks like it has to do with TLSv1.3 session reusage.

      Both Server and Client is Ubuntu 18.

      # zabbix_server -V
zabbix_server (Zabbix) 5.0.2
Revision 352ca05870 13 July 2020, compilation time: Jul 13 2020 07:00:00Copyright (C) 2020 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1  11 Sep 2018
Running with OpenSSL 1.1.1  11 Sep 2018

       

      zabbix_agentd -V
zabbix_agentd (daemon) (Zabbix) 4.0.23
Revision 9f3d212e4a 27 July 2020, compilation time: Jul 27 2020 07:00:00Copyright (C) 2020 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1  11 Sep 2018
Running with OpenSSL 1.1.1  11 Sep 2018

       

      It started at the time, we accepted for testing purpose and just for a few minutes,  on server side also CERT-based authentication in addition to PSK. Before that, we had no log issues like the one above.

       

       

      Server still receives data from client. It currently "only" floods our log-files massively.

            zabbix.support Zabbix Support Team
            siegmarb Stefan
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: