Hello,

I'd like to report, that validation of TLS certificates between zabbix components does not follow industry standard: The Subject Alternative Name (SAN) attribute of peer certificate cannot be checked.

The currently used cert-validation method is based on comparing the x509 common-name against one fixed string (the TLSServerCertSubject option), which is now starting to run into its limitations when deploying Zabbix in HA configurations.

Current situation forces the administrators to choose between non-optimal solutions:

• issue more certificates with same common name, creating confusion, or
• share one certificate across servers&proxies, which creates single failure point and is hard to automate, or
• disable TLSServerCertSubject, allowing anyone with PKI cert from that CA to connect, or
• deploy a small CA just for zabbix, so empty TLSServerCertSubject does not mater, or
• fall back to PSK

Per Wikipedia Subject_Alternative_Name, this method has been standardized in May 2000, so I kindly ask you to catch up to this development and enable a clean way of scaling zabbix.