Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-26272

Zabbix MQTT Plugin hardcodes skipVerify in TLS setup

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 7.0.11, 7.2.5
    • Agent2 plugin (G)
    • None
    • Support backlog

      By default, there is no configuration option exposed for disabling TLS verification in the MQTT plugin in Zabbix Agent. In the source, the call to tlsconfig.CreateConfig has skipVerify hardcoded to false.

      Some implementations of MQTT, such as servers configured by vendors, may be using TLS configurations that are not changable by the system administrator, and are configurations that cannot be made valid. In my case, the vendor uses a certificate that contains a non FQDN CN and no subjectAltName so no configuration can be made to pass the TLS validation.

      In this case, a user configurable option in the mqtt.conf file should be presented to disable TLS validation.

      Offending code line:
      https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/src/go/plugins/mqtt/mqtt.go#132

      return tlsconfig.CreateConfig(
	tlsconfig.Details{
		TlsCaFile:   d.TlsCaFile,
		TlsCertFile: d.TlsCertFile,
		TlsKeyFile:  d.TlsKeyFile,
		RawUri:      d.RawUri,
	},
	false, <------
)

      Note: Happy to provide a PR to resolve this issue via a configuration option if this is acceptable.
       
      Steps to reproduce:

      1. Configure MQTT on the Zabbix Agent 2
      2. Attempt to connect to a server with invalid TLS

      Result:
      network Error : tls: failed to verify certificate

      Expected:
      Should be able to disable TLS validation

            zit Zabbix Integration Team
            bottswana55 James Botting
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: