Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-23941

Issue with TLS PSK connection from server to passive agents

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Fixed
    • Icon: Trivial Trivial
    • 7.0.0beta2, 7.0 (plan)
    • 7.0.0alpha9
    • Agent (G), Server (S)
    • None
    • Zabbix 7.0.0.a9 on RHEL8.9, DB: PG15 with TSDB 2.13
      Latest agent version 6.4
    • Sprint candidates, S24-W6/7
    • 0.25

      We have strange floating issue with TLS PSK connectivity between server and agent 
      It is new installation of zabbix 7.0.0.a9 on RHEL8.9, DB: PG15 with TSDB 2.13
      Agents version - latest 6.4 (6.4.9,6.4.10, we also tried 6.0.25 LTS)
      Passive agent configuration is used

      TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=******-PSK-IDENTITY-*****
TLSPSKFile=/etc/zabbix/zabbix_agentd.psk

      Time to time, in zabbix server log we wound following errors:

        2443:20240114:050602.443 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.443 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.444 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init
  2443:20240114:050602.445 SSL_shutdown() with 10.0.9.29 set result code to 1: file ssl/ssl_lib.c line 2094: error:140E0197:SSL routines:SSL_shutdown:shut
down while in init

      (10.0.9.29 - one of the zabbix agents)

      Here are the corresponding records on the agent side

      7528:20240114:051025.852 failed to accept an incoming connection: from 10.xx.xx.xx: unspecified certificate verification error: TLS handshake set result code to 5:
6800:20240114:063734.937 failed to accept an incoming connection: from 10.xx.xx.xx: unspecified certificate verification error: TLS handshake set result code to 5:
 152:20240114:063734.943 failed to accept an incoming connection: from 10.xx.xx.xx: unspecified certificate verification error: TLS handshake set result code to 5:

      10.xx.xx.xx - ip of zabbix server

      This issue appears on Linux hosts sometimes but most often this occurs on Windows servers.
      In the attachment small part of agent's debug log.

      This problem is floating, errors can be recorded in the log from several minutes to tens of minutes, the data seems to be collected, but given that I saw several crashes in the server log,  I can not say for sure whether this is related to the server crashes or no.
      Additional thing that is no clear, why does the error refer to certificate verification when all TLS parameters configured to use PSK.

        1. agent-debug.txt
          26 kB

            vso Vladislavs Sokurenko
            AndriiMalyi Andrii Malyi
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: