-
Problem report
-
Resolution: Unresolved
-
Major
-
None
-
7.0.16, 7.4.0, 8.0.0alpha1 (master)
-
None
-
RHEL9/RHEL10
-
Support backlog
Steps to reproduce:
- Install RHEL 9 based something like Oracle Linux 9.x or RHEL9 itself
- Check OpenSSL 3.2.2 is configured and have:
openssl ciphers -V |grep 1.3 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD 0x13,0x04 - TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
- Configure Zabbix Server with:
grep -Ev "^#|^$" /etc/zabbix/zabbix_server.conf |grep -i psk13 TLSCipherPSK13=TLS_AES_256_GCM_SHA384
- Use Zabbix Sender with:
zabbix_sender -vv -z 127.0.0.1 -s "Zabbix server" -k agent.hostname -o "test" --tls-connect=psk --tls-psk-identity=kernel --tls-psk-file=/etc/zabbix/zabbix_agent.key --tls-cipher13=TLS_AES_256_GCM_SHA384
- Setup some host in Frontend with identity and key:
openssl rand -hex 32 or openssl rand -hex 64
Result:
zabbix_sender -vv -z 127.0.0.1 -s "Zabbix server" -k agent.hostname -o "test" --tls-connect=psk --tls-psk-identity=kernel --tls-psk-file=/etc/zabbix/zabbix_agent.key --tls-cipher13=TLS_AES_256_GCM_SHA384 zabbix_sender [15730]: DEBUG: In zbx_tls_init_child() zabbix_sender [15730]: DEBUG: OpenSSL library (version OpenSSL 3.2.2 4 Jun 2024) initialized zabbix_sender [15730]: DEBUG: zbx_tls_init_child() loaded PSK identity "kernel" zabbix_sender [15730]: DEBUG: zbx_tls_init_child() loaded PSK from file "/etc/zabbix/zabbix_agent.key" zabbix_sender [15730]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_AES_256_GCM_SHA384 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM PSK-AES128-CCM8 PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA zabbix_sender [15730]: DEBUG: End of zbx_tls_init_child() zabbix_sender [15731]: DEBUG: In zbx_comms_exchange_with_redirect() zabbix_sender [15731]: DEBUG: In zbx_connect_to_server() [127.0.0.1]:10051 [timeout:60, connection timeout:3] zabbix_sender [15731]: DEBUG: In zbx_is_ip4() ip:'127.0.0.1' zabbix_sender [15731]: DEBUG: End of zbx_is_ip4():SUCCEED zabbix_sender [15731]: DEBUG: In zbx_is_ip4() ip:'127.0.0.1' zabbix_sender [15731]: DEBUG: End of zbx_is_ip4():SUCCEED zabbix_sender [15731]: DEBUG: In zbx_tls_connect(): psk_identity:"kernel" zabbix_sender [15731]: DEBUG: zbx_psk_client_cb() requested PSK identity "kernel" zabbix_sender [15731]: DEBUG: End of zbx_tls_connect():FAIL error:'SSL_connect() set result code to SSL_ERROR_SSL: file ssl/record/rec_layer_s3.c line 909 func ssl3_read_bytes: error:0A000410:SSL routines::ssl/tls alert handshake failure: SSL alert number 40: TLS read fatal alert "handshake failure"' zabbix_sender [15731]: DEBUG: Unable to connect to [127.0.0.1]:10051 [TCP successful, cannot establish TLS to [[127.0.0.1]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/record/rec_layer_s3.c line 909 func ssl3_read_bytes: error:0A000410:SSL routines::ssl/tls alert handshake failure: SSL alert number 40: TLS read fatal alert "handshake failure"] zabbix_sender [15731]: DEBUG: End of zbx_connect_to_server():FAIL zabbix_sender [15731]: DEBUG: unable to connect to [127.0.0.1]:10051: TCP successful, cannot establish TLS to [[127.0.0.1]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/record/rec_layer_s3.c line 909 func ssl3_read_bytes: error:0A000410:SSL routines::ssl/tls alert handshake failure: SSL alert number 40: TLS read fatal alert "handshake failure" zabbix_sender [15731]: DEBUG: End of zbx_comms_exchange_with_redirect():CONNECT_ERROR Sending failed.
Expected:
Cipher works like other 3 in TLS1.3 group:
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
Or it should be documented, that it will not work.
Also AES256 on this platform is hardware accelerated and faster ~3 times:
openssl speed -evp aes-256-gcm -seconds 10 -bytes 1420 Doing AES-256-GCM ops for 10s on 1420 size blocks: 36330741 AES-256-GCM ops in 9.96s version: 3.2.2 built on: Tue Feb 11 00:00:00 2025 UTC options: bn(64,64) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"3.2.2-72e5e0a215be5736\"" -D_GNU_SOURCE -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" CPUINFO: OPENSSL_armcap=0x8fd The 'numbers' are in 1000s of bytes per second processed. type 1420 bytes AES-256-GCM 5179683.96k openssl speed -evp chacha20 -seconds 10 -bytes 1420 Doing ChaCha20 ops for 10s on 1420 size blocks: 13235767 ChaCha20 ops in 9.95s version: 3.2.2 built on: Tue Feb 11 00:00:00 2025 UTC options: bn(64,64) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"3.2.2-72e5e0a215be5736\"" -D_GNU_SOURCE -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" CPUINFO: OPENSSL_armcap=0x8fd The 'numbers' are in 1000s of bytes per second processed. type 1420 bytes ChaCha20 1888923.53k
While AES128 vs AES256 has not so big difference in performance.
Note 1: Official Agent (installed from repo) for 7.4.0 was build against 3.0.7, why?
zabbix_sender -V zabbix_sender (Zabbix) 7.4.0 Revision 372a4e93c48 30 June 2025, compilation time: Jun 30 2025 00:00:00 Compiled with OpenSSL 3.0.7 1 Nov 2022 Running with OpenSSL 3.2.2 4 Jun 2024