ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-9879

https monitoring breaks when TLS V1.0 protocol disallowed

    Details

      Description

      Agent checks for net.tcp.service[https...] as well as web scenarios broke when target server was reconfigured to disallow TLS V1.0 protocol (forcing TLS 1.1, 1.2). Web scenario reports error message "SSL connect error: Encountered end of file".

      Underlying issue with curl (shell command) attempting to connect to same URL generates "NSS error -5938 (PR_END_OF_FILE_ERROR)" and error 35, but forcing protocol with '--tlsv1.1' option does connect happily. However, no way to do this in UI, and it's not clear why current implementation won't negotiate >= 1.1 since it's capable.

        Activity

        Hide
        Aleksandrs Saveljevs added a comment -

        http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html might or might not help with this.

        Show
        Aleksandrs Saveljevs added a comment - http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html might or might not help with this.
        Hide
        Aleksandrs Saveljevs added a comment -

        https://bugzilla.redhat.com/show_bug.cgi?id=1170339 is a somewhat related discussion.

        Show
        Aleksandrs Saveljevs added a comment - https://bugzilla.redhat.com/show_bug.cgi?id=1170339 is a somewhat related discussion.
        Hide
        Arli added a comment -

        Setting CURL_SSLVERSION_TLSv1 or CURL_SSLVERSION_TLSv1_1 does help.
        The issue is becoming more vital as leading browsers are forcing the use of stronger protocols by marking sites using SSLv2/SSLv3/TLSv1.0 as insecure.

        Show
        Arli added a comment - Setting CURL_SSLVERSION_TLSv1 or CURL_SSLVERSION_TLSv1_1 does help. The issue is becoming more vital as leading browsers are forcing the use of stronger protocols by marking sites using SSLv2/SSLv3/TLSv1.0 as insecure.
        Hide
        dimir added a comment - - edited

        Currently we are not setting any version, so we use the default, which is "attempt to figure out the remote SSL protocol version". I guess we need to add a radio button so that a user can select the SSL/TLS version to use. But this looks like a feature request, not a bug.

        Show
        dimir added a comment - - edited Currently we are not setting any version, so we use the default, which is "attempt to figure out the remote SSL protocol version". I guess we need to add a radio button so that a user can select the SSL/TLS version to use. But this looks like a feature request, not a bug.
        Hide
        Marc added a comment -

        As I assume this is unlikely to be addressed soon but more and more sites are disabling TLS 1.0 and below, I suggest to add an appropriate information to the documentation stating that Web scenarios using the https protocol may not be possible at least on EL5 and EL6 due to limitations of libcurl.

        Show
        Marc added a comment - As I assume this is unlikely to be addressed soon but more and more sites are disabling TLS 1.0 and below, I suggest to add an appropriate information to the documentation stating that Web scenarios using the https protocol may not be possible at least on EL5 and EL6 due to limitations of libcurl.
        Hide
        dimir added a comment -

        That's definitely a good point.

        Show
        dimir added a comment - That's definitely a good point.
        Hide
        Martins Valkovskis added a comment -

        Added to known issues in documentation. Linked to from the web monitoring page.

        Show
        Martins Valkovskis added a comment - Added to known issues in documentation. Linked to from the web monitoring page.
        Hide
        dimir added a comment - - edited

        1). "Known issues" could also mention agent checks. The section could be something like this:

        === HTTPS checks ===

        Web scenarios using https protocol and agent checks net.tcp.service[https...] and net.tcp.service.perf[https...] may fail if the target server is configured to disallow TLS v1.0 protocol or below. Please see ... for more information and available workarounds.

        2). In that case the link on web monitoring page could be changed to "See also known issues for web monitoring using https protocol.".

        3). Also 2 links to "known issues" could be added to agent items page where net.tcp.service and net.tcp.service.perf are described.

        Martins Valkovskis Thanks for the suggestions. Updated sections: known issues and web monitoring. Linked from the agent item page as well.

        <dimir> Thanks! Made a small change on the agent page:

        See also known issues
        "for service checks using HTTPS protocol" -> "of checking HTTPS service"

        Martins Valkovskis Thanks, looking good to me.

        Show
        dimir added a comment - - edited 1). "Known issues" could also mention agent checks. The section could be something like this: === HTTPS checks === Web scenarios using https protocol and agent checks net.tcp.service[https...] and net.tcp.service.perf[https...] may fail if the target server is configured to disallow TLS v1.0 protocol or below. Please see ... for more information and available workarounds. 2). In that case the link on web monitoring page could be changed to "See also known issues for web monitoring using https protocol.". 3). Also 2 links to "known issues" could be added to agent items page where net.tcp.service and net.tcp.service.perf are described. Martins Valkovskis Thanks for the suggestions. Updated sections: known issues and web monitoring . Linked from the agent item page as well. < dimir > Thanks! Made a small change on the agent page: See also known issues "for service checks using HTTPS protocol" -> "of checking HTTPS service" Martins Valkovskis Thanks, looking good to me.
        Hide
        dimir added a comment -

        Looks like documentation part is in place now we just need to fix it.

        Show
        dimir added a comment - Looks like documentation part is in place now we just need to fix it.
        Hide
        Fernando added a comment -

        Hi, we have deployed cURL 7.45 on a custom location and compiled zabbix server against that library but we are still facing the problem. Is that expected?

        Zabbix 2.4
        RHEL 6.6

        Show
        Fernando added a comment - Hi, we have deployed cURL 7.45 on a custom location and compiled zabbix server against that library but we are still facing the problem. Is that expected? Zabbix 2.4 RHEL 6.6
        Hide
        dimir added a comment -

        The issue is still not resolved.

        Show
        dimir added a comment - The issue is still not resolved.
        Hide
        Dan Goscomb added a comment -

        This is critical for us. We are not able to allow TLS1.0 due to PCI-DSS regulations, and are now unable to monitor some of our applications.

        Show
        Dan Goscomb added a comment - This is critical for us. We are not able to allow TLS1.0 due to PCI-DSS regulations, and are now unable to monitor some of our applications.
        Hide
        John Ko added a comment -

        Is there an ETA for a fix? Our web scenarios broke after implementing TLSv1.2.

        Show
        John Ko added a comment - Is there an ETA for a fix? Our web scenarios broke after implementing TLSv1.2.
        Hide
        Jinesh Choksi added a comment -

        Greetings. With the recent release of Zabbix v3.0, is the issue documented in this JIRA now resolved?

        Show
        Jinesh Choksi added a comment - Greetings. With the recent release of Zabbix v3.0, is the issue documented in this JIRA now resolved?
        Hide
        John Ko added a comment -

        Hi Jinesh, we tested on the latest 3.0 beta and the issue is still occurring. -Thanks

        Show
        John Ko added a comment - Hi Jinesh, we tested on the latest 3.0 beta and the issue is still occurring. -Thanks
        Hide
        MATSUDA Daiki added a comment - - edited

        This problem has 2 causes.
        1. Zabbix server does not set CURLOPT_SSLVERSION on curl_easy_setopt() for Web monitoring.
        So, libcurl uses the default value, i.e. CURL_SSLVERSION_DEFAULT, which includes 2 protocols of SSLv3 and TLSv1. But TLSv1 is simply TLS v1.0 and does not include TLS v1.1 and TLS v1.2.
        See curl_easy_setopt manual, $ man curl_easy_setopt
        In bottom, for accepting TLS v1.1 and v1.2 monitoring, Zabbix server must be implemented CURLOPT_SSLVERSION.

        2. libcurl may not support TLS v1.1 and TLS v1.2. In previous RHEL 6.x libcurl does not support TLS v1.1 and TLS v1.2 and since 7.19.7-43 starts to support.
        So, for monitoring libcurl must be updated.

        In the bottom, I attached 2 patches.
        1. SSLv2 and SSLv3 are dropped. Currently they are unsecure and in many web servers they are not acceptable.
        zabbix-2.0.16-force-tlsv1.x.patch

        2. It accepts new format for url column, such as tlsv1@https://... This is compatible for current Zabbix server implementation.
        zabbix-2.0.16-add-tlsv1.x-option.patch

        Show
        MATSUDA Daiki added a comment - - edited This problem has 2 causes. 1. Zabbix server does not set CURLOPT_SSLVERSION on curl_easy_setopt() for Web monitoring. So, libcurl uses the default value, i.e. CURL_SSLVERSION_DEFAULT, which includes 2 protocols of SSLv3 and TLSv1. But TLSv1 is simply TLS v1.0 and does not include TLS v1.1 and TLS v1.2. See curl_easy_setopt manual, $ man curl_easy_setopt In bottom, for accepting TLS v1.1 and v1.2 monitoring, Zabbix server must be implemented CURLOPT_SSLVERSION. 2. libcurl may not support TLS v1.1 and TLS v1.2. In previous RHEL 6.x libcurl does not support TLS v1.1 and TLS v1.2 and since 7.19.7-43 starts to support. So, for monitoring libcurl must be updated. In the bottom, I attached 2 patches. 1. SSLv2 and SSLv3 are dropped. Currently they are unsecure and in many web servers they are not acceptable. zabbix-2.0.16-force-tlsv1.x.patch 2. It accepts new format for url column, such as tlsv1@ https:// ... This is compatible for current Zabbix server implementation. zabbix-2.0.16-add-tlsv1.x-option.patch
        Hide
        MATSUDA Daiki added a comment -

        In my research, this is the bug that RHEL's implementation is not enough for cURL package.
        Ideally, cURL package should be fixed and I attached the patch.

        In latest cURL(7.48.0), this is already fixed. In addition, SSLv2 and SSLv3 are not used and only TLS v1.x are used in default.

        Show
        MATSUDA Daiki added a comment - In my research, this is the bug that RHEL's implementation is not enough for cURL package. Ideally, cURL package should be fixed and I attached the patch. In latest cURL(7.48.0), this is already fixed. In addition, SSLv2 and SSLv3 are not used and only TLS v1.x are used in default.
        Hide
        Kodai Terashima added a comment -

        This problem was fixed by RedHat on RHEL 6.8, upgrading libcurl library solve this issue.

        Show
        Kodai Terashima added a comment - This problem was fixed by RedHat on RHEL 6.8, upgrading libcurl library solve this issue.
        Hide
        Pradeep Patil added a comment - - edited

        Am not seeing this fixed with Zabbix 3.0 and 3.2 on RHEL7, libcurl 7.51, openSSL 1.0.1e. My web monitoring still fails.

        Show
        Pradeep Patil added a comment - - edited Am not seeing this fixed with Zabbix 3.0 and 3.2 on RHEL7, libcurl 7.51, openSSL 1.0.1e. My web monitoring still fails.
        Hide
        Kim Jongkwon added a comment - - edited

        If this problem can not be resolved when after curl update. You should also update - curl dependency packages. (Especially nss, nss-util, nspr ...)

        Show
        Kim Jongkwon added a comment - - edited If this problem can not be resolved when after curl update. You should also update - curl dependency packages. (Especially nss, nss-util, nspr ...)

          People

          • Assignee:
            Unassigned
            Reporter:
            K. M. Peterson
          • Votes:
            18 Vote for this issue
            Watchers:
            26 Start watching this issue

            Dates

            • Created:
              Updated: