-
Problem report
-
Resolution: Commercial support required
-
Trivial
-
None
-
6.0.8, 6.0.9
-
None
-
Ubuntu 22.04 (openssl 3.0.2), Ubuntu 20.04 (openssl 1.1.1f), Debian 10 (1.1.1n)
Steps to reproduce:
1. Fresh installation of zabbix-server-mysql 6.0.9 from zabbix repository via apt, also with fresh database from template. I tried them all with different combinations:
root@Debian10:/var/log/zabbix# zabbix_server -V zabbix_server (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1d 10 Sep 2019 Running with OpenSSL 1.1.1n 15 Mar 2022
root@Ubuntu22:/usr/share/zabbix# zabbix_server -V zabbix_server (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 3.0.2 15 Mar 2022 Running with OpenSSL 3.0.2 15 Mar 2022
root@Ubuntu20:/var/log/zabbix# zabbix_agentd -V zabbix_agentd (daemon) (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1f 31 Mar 2020 Running with OpenSSL 1.1.1f 31 Mar 2020
root@Ubuntu22:# zabbix_agentd -V zabbix_agentd (daemon) (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 3.0.2 15 Mar 2022 Running with OpenSSL 3.0.2 15 Mar 2022
2. Add single host to server and setup PSK encryption on it
TLSAccept=psk TLSPSKIdentity=zabbix TLSPSKFile=/etc/zabbix/psk
PSK generated via command: openssl rand -hex 32
Result:
Server:
3234:20220930:121836.127 interfaceid:1 hostid:10084 ip:'127.0.0.1' dns:'' port:'10050' type:1 main:1 useip:1 available:1 errors_from:0 disable_until:0 error:'' availability_ts:1664533055 reset_availability:0 items_num 60interfaceid:12 hostid:10529 ip:'10.10.10.10' dns:'' port:'10050' type:1 main:1 useip:1 available:2 errors_from:1664529873 disable_until:1664533144 error:'Get value from agent failed: TCP successful, cannot establish TLS to [[10.10.10.10]:10050]: SSL_connect() I/O error: [0] Success' availability_ts:1664533055 reset_availability:0 items_num 14 3434:20220930:121904.106 In get_value_agent() host:'nexus.domain.com' addr:'10.10.10.10' key:'system.uptime' conn:'TLS with PSK' 3434:20220930:121904.108 Item [nexus.domain.com:system.uptime] error: Get value from agent failed: TCP successful, cannot establish TLS to [[10.10.10.10]:10050]: SSL_connect() I/O error: [0] Success
Client:
91290:20220930:120704.535 failed to accept an incoming connection: from 10.10.10.10: TLS handshake set result code to 1: file ../ssl/t1_lib.c line 2750: error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm: TLS write fatal alert "handshake failure"
91292:20220930:120704.535 failed to accept an incoming connection: from 10.10.10.10: unencrypted connections are not allowed
Expected:
TLS encryption working with current and previous 5.x+ agent versions.
If you need any additional debuging data or something please let me know.