-
Incident report
-
Resolution: Unresolved
-
Trivial
-
None
-
5.0.7
-
None
Sending a value to zabbix-server without specifying cipher fails.
Looks like auto-negotiation is unreliable.
Settings TLS-cipher works:
$ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv --tls-cipher ECDHE-PSK-AES128-CBC-SHA zabbix_sender [11122]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA zabbix_sender [11123]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_CHACHA20_POLY1305_SHA256)
Settings tls-cipher13 works also:
$ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv --tls-cipher13 TLS_CHACHA20_POLY1305_SHA256 zabbix_sender [12324]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA zabbix_sender [12325]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_CHACHA20_POLY1305_SHA256)
Setting TLS and TLS13-ciphers works as well:
$ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv --tls-cipher13 TLS_CHACHA20_POLY1305_SHA256 --tls-cipher ECDHE-PSK-AES128-CBC-SHA zabbix_sender [13124]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 ECDHE-PSK-AES128-CBC-SHA zabbix_sender [13125]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_CHACHA20_POLY1305_SHA256)
Not specify any, fails:
$ zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -z zabbix.intern-s "node1" -k ca.revoked_certs -o "test" -vv zabbix_sender [12870]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA zabbix_sender [12871]: DEBUG: End of zbx_tls_connect():FAIL error:'SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/record/rec_layer_s3.c line 1543: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter: SSL alert number 47: TLS read fatal alert "illegal parameter"