Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18910

Auto negotiation of TLS-ciphers fail - manually specified works

    XMLWordPrintable

Details

    • Incident report
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • 5.0.7
    • None
    • Agent (G)
    • None

    Description

      Sending a value to zabbix-server without specifying cipher fails.

      Looks like auto-negotiation is unreliable.

       

      Settings TLS-cipher works:

       

      $ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv --tls-cipher ECDHE-PSK-AES128-CBC-SHA
      zabbix_sender [11122]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA
      zabbix_sender [11123]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_CHACHA20_POLY1305_SHA256)

       

      Settings tls-cipher13 works also:

      $ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv --tls-cipher13 TLS_CHACHA20_POLY1305_SHA256
      zabbix_sender [12324]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
      zabbix_sender [12325]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_CHACHA20_POLY1305_SHA256) 

       

      Setting TLS and TLS13-ciphers works as well:

       

      $ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv --tls-cipher13 TLS_CHACHA20_POLY1305_SHA256 --tls-cipher ECDHE-PSK-AES128-CBC-SHA
      zabbix_sender [13124]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 ECDHE-PSK-AES128-CBC-SHA
      zabbix_sender [13125]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_CHACHA20_POLY1305_SHA256)

       

      Not specify any, fails:

       

      $ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv
      zabbix_sender [12870]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
      zabbix_sender [12871]: DEBUG: End of zbx_tls_connect():FAIL error:'SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/record/rec_layer_s3.c line 1543: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter: SSL alert number 47: TLS read fatal alert "illegal parameter"

       

      Attachments

        Activity

          People

            ArtursL Arturs Lontons
            siegmarb Stefan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: