Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-21714

Zabbix 6.0.x PSK - no suitable signature algorithm

    XMLWordPrintable

Details

    • Problem report
    • Status: Closed
    • Trivial
    • Resolution: Commercial support required
    • 6.0.8, 6.0.9
    • None
    • Agent (G), Server (S)
    • None
    • Ubuntu 22.04 (openssl 3.0.2), Ubuntu 20.04 (openssl 1.1.1f), Debian 10 (1.1.1n)

    Description

      Steps to reproduce:

      1. Fresh installation of zabbix-server-mysql 6.0.9 from zabbix repository via apt, also with fresh database from template. I tried them all with different combinations:

       

      [email protected]:/var/log/zabbix# zabbix_server -V
      zabbix_server (Zabbix) 6.0.9
      Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA
      License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
      This is free software: you are free to change and redistribute it according to
      the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
      for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1d  10 Sep 2019
      Running with OpenSSL 1.1.1n  15 Mar 2022
       

       

      [email protected]:/usr/share/zabbix# zabbix_server -V
      zabbix_server (Zabbix) 6.0.9
      Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA
      License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
      This is free software: you are free to change and redistribute it according to
      the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
      for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 3.0.2 15 Mar 2022
      Running with OpenSSL 3.0.2 15 Mar 2022
       
      [email protected]:/var/log/zabbix# zabbix_agentd -V
      zabbix_agentd (daemon) (Zabbix) 6.0.9
      Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA
      License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
      This is free software: you are free to change and redistribute it according to
      the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project
      for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1f  31 Mar 2020
      Running with OpenSSL 1.1.1f  31 Mar 2020
       
      [email protected]:# zabbix_agentd -V zabbix_agentd (daemon) (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 3.0.2 15 Mar 2022 Running with OpenSSL 3.0.2 15 Mar 2022
      

       

       

      2. Add single host to server and setup PSK encryption on it

       

      TLSAccept=psk
      TLSPSKIdentity=zabbix
      TLSPSKFile=/etc/zabbix/psk 

      PSK generated via command: openssl rand -hex 32

       

       

      Result:
      Server:

      3234:20220930:121836.127 interfaceid:1 hostid:10084 ip:'127.0.0.1' dns:'' port:'10050' type:1 main:1 useip:1 available:1 errors_from:0 disable_until:0 error:'' availability_ts:1664533055 reset_availability:0 items_num 60interfaceid:12 hostid:10529 ip:'10.10.10.10' dns:'' port:'10050' type:1 main:1 useip:1 available:2 errors_from:1664529873 disable_until:1664533144 error:'Get value from agent failed: TCP successful, cannot establish TLS to [[10.10.10.10]:10050]: SSL_connect() I/O error: [0] Success' availability_ts:1664533055 reset_availability:0 items_num 14
        3434:20220930:121904.106 In get_value_agent() host:'nexus.domain.com' addr:'10.10.10.10' key:'system.uptime' conn:'TLS with PSK'
        3434:20220930:121904.108 Item [nexus.domain.com:system.uptime] error: Get value from agent failed: TCP successful, cannot establish TLS to [[10.10.10.10]:10050]: SSL_connect() I/O error: [0] Success
       

      Client:

      91290:20220930:120704.535 failed to accept an incoming connection: from 10.10.10.10: TLS handshake set result code to 1: file ../ssl/t1_lib.c line 2750: error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm: TLS write fatal alert "handshake failure"
       91292:20220930:120704.535 failed to accept an incoming connection: from 10.10.10.10: unencrypted connections are not allowed
       

      Expected:
      TLS encryption working with current and previous 5.x+ agent versions.

       

      If you need any additional debuging data or something please let me know.

      Attachments

        Activity

          People

            igorbach Igor Gorbach
            Zaborowski Cezary
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: