Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-25267

Agent 2 refuses PSK encrypted connections if Certs also enabled

XMLWordPrintable

    • Prev.Sprint, S24-W44/45, S24-W46/47
    • 2

      Steps to reproduce:

      1. Set up agent 2 to accept both - PSK and Cert encrypted connection (config example below);
      2. Also enable cert issuer or cert subject validation;
      3. Try to connect to agent 2 with PSK encryption.

      Result:
      The connection always fails. It tries to validate a certificate that does not exist.
      Agent 2 log shows error:

      2024/09/19 10:46:24.816361 failed to process an incoming connection from 127.0.0.1: cannot obtain peer certificate
      

      Expected:
      On agent 1 both - PSK and Certs work in the above scenario.

      More info:

      Config example (this is the complete agent 2 config I used when I found this):

      LogFile=/tmp/zabbix_agent2.log
      Server=127.0.0.1
      TLSConnect=cert
      TLSAccept=psk,cert
      TLSCAFile=/home/zabbix/cert/ca/ca-self-signed-cert.pem
      TLSServerCertIssuer=CN=My CA authority
      TLSServerCertSubject=CN=your.server.domain
      TLSCertFile=/home/zabbix/cert/agent/agent-cert.pem
      TLSKeyFile=/home/zabbix/cert/agent/agent-private-key.pem
      TLSPSKIdentity=PSK 001
      TLSPSKFile=/home/zabbix/cert/psk/agent.psk
      

      If you comment out both of these, PSK works fine:

      Corresponding server conf (7.0) (it even has the certs set up for cert authentication):

      TLSCAFile=/home/zabbix/cert/ca/ca-self-signed-cert.pem
      TLSCertFile=/home/zabbix/cert/server/server-cert.pem
      TLSKeyFile=/home/zabbix/cert/server/server-private-key.pem
      LogFile=/tmp/zabbix_server.log
      DBName=7.0
      DBUser=zabbix
      DBPassword=zabbix
      DBPassword=zabbix
      StartJavaPollers=1
      StartJavaPollers=10
      Timeout=4
      LogSlowQueries=3000
      StatsAllowedIP=127.0.0.1
      EnableGlobalScripts=0
      

            dgoloscapov Dmitrijs Goloscapovs
            jnulle Janis Nulle
            Team B
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 10h
                10h