ZABBIX FEATURE REQUESTS
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-3047

Windows Zabbix Agent Binary is not compiled with TLS Support

    Details

      Description

      As reported in IRC and as passed on by Volter, the Windows agent binaries are not compiled with TLS support. Enabling TLS in configure cases the zabbix service not to start. Running zabbix_agentd.exe manually outputs

      zabbix_agentd.exe --config "c:\Program Files\Zabbix\win64\zabbix_agentd.win.conf"
      zabbix_agentd.exe [13004]: "TLSConnect" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
      zabbix_agentd.exe [13004]: "TLSAccept" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
      zabbix_agentd.exe [13004]: "TLSPSKIdentity" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
      zabbix_agentd.exe [13004]: "TLSPSKFile" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
      

        Activity

        Hide
        Rock Rockovic added a comment -

        hi all,

        i need that feature. i am wondering why it was compiled without, since cert authentification of agentd is part of a new feature of zabbix3.0.0

        Show
        Rock Rockovic added a comment - hi all, i need that feature. i am wondering why it was compiled without, since cert authentification of agentd is part of a new feature of zabbix3.0.0
        Hide
        Mark Rogers added a comment -

        I can understand that it not being automatically compiled, they're not going to assume we want a particular encryption.

        But I cannot find any help or documentation on how to compile ourselves.

        Show
        Mark Rogers added a comment - I can understand that it not being automatically compiled, they're not going to assume we want a particular encryption. But I cannot find any help or documentation on how to compile ourselves.
        Hide
        Aleksandrs Saveljevs added a comment -

        Documentation requested at ZBXNEXT-3168.

        Show
        Aleksandrs Saveljevs added a comment - Documentation requested at ZBXNEXT-3168 .
        Hide
        Dave added a comment -

        Hi Guys,

        I am not a developer and I can count the number of times I have compiled programs (out of necessity) on my 2 hands. I am sure for the guys who are comfortable with compiling apps and do it on a regular basis will be fine with compiling an agent for their needs in very little time.

        With that in mind would someone mind compiling one with the TLS support and just add it to the downloads page with the other precompiled binaries?

        I am sure this would be quicker than me asking for assistance everytime I come up with an error during the compile process.

        Show
        Dave added a comment - Hi Guys, I am not a developer and I can count the number of times I have compiled programs (out of necessity) on my 2 hands. I am sure for the guys who are comfortable with compiling apps and do it on a regular basis will be fine with compiling an agent for their needs in very little time. With that in mind would someone mind compiling one with the TLS support and just add it to the downloads page with the other precompiled binaries? I am sure this would be quicker than me asking for assistance everytime I come up with an error during the compile process.
        Hide
        Aleksandrs Saveljevs added a comment -

        In "Zabbix-Agent-with-OpenSSL-1.0.2c.zip", please find attached Zabbix 3.0.1 32-bit binaries for Windows compiled with OpenSSL 1.0.2c. If you need other architectures or library versions, please let me know.

        Show
        Aleksandrs Saveljevs added a comment - In "Zabbix-Agent-with-OpenSSL-1.0.2c.zip", please find attached Zabbix 3.0.1 32-bit binaries for Windows compiled with OpenSSL 1.0.2c. If you need other architectures or library versions, please let me know.
        Hide
        Namai Kenta added a comment -

        Hi.
        Please for Windows 64-bit binaries.

        Show
        Namai Kenta added a comment - Hi. Please for Windows 64-bit binaries.
        Hide
        Aleksandrs Saveljevs added a comment -

        Please try "Zabbix-Agent-with-OpenSSL-1.0.2f-x64.zip".

        Show
        Aleksandrs Saveljevs added a comment - Please try "Zabbix-Agent-with-OpenSSL-1.0.2f-x64.zip".
        Hide
        Dave added a comment -

        @Aleksandrs Thanks for the binaries, very grateful for your time. Do you also have a LIBEAY32.dll the binary does not want to run without it?

        Show
        Dave added a comment - @Aleksandrs Thanks for the binaries, very grateful for your time. Do you also have a LIBEAY32.dll the binary does not want to run without it?
        Hide
        Namai Kenta added a comment -

        @Aleksandrs Thanks for the binaries, That worked!

        Show
        Namai Kenta added a comment - @Aleksandrs Thanks for the binaries, That worked!
        Hide
        Aleksandrs Saveljevs added a comment -

        Please find "Zabbix-3.0.1-with-OpenSSL-1.0.2c-x86.zip" and "Zabbix-3.0.1-with-OpenSSL-1.0.2f-x64.zip" attached. They should have the necessary OpenSSL DLL files inside.

        Show
        Aleksandrs Saveljevs added a comment - Please find "Zabbix-3.0.1-with-OpenSSL-1.0.2c-x86.zip" and "Zabbix-3.0.1-with-OpenSSL-1.0.2f-x64.zip" attached. They should have the necessary OpenSSL DLL files inside.
        Hide
        Dave added a comment -

        Expanding on @Aleksandrs work. The attached zip includes msvcd120.dll as well as a basic conf file sourced from the template on the Downloads page for v3.0.0 for both x86 and x64. I have just tested by dropping the x64 package onto a server without visual studio run times and it works a treat using psk enc.

        Show
        Dave added a comment - Expanding on @Aleksandrs work. The attached zip includes msvcd120.dll as well as a basic conf file sourced from the template on the Downloads page for v3.0.0 for both x86 and x64. I have just tested by dropping the x64 package onto a server without visual studio run times and it works a treat using psk enc.
        Hide
        Oleksiy Zagorskyi added a comment - - edited

        I did some investigation and here are some details:

        Zabbix agent requires 2 dll files to perform encryption: ssleay32.dll, libeay32.dll
        A page https://wiki.openssl.org/index.php/Binaries suggests a few sources for such binaries.
        The 1st link https://slproweb.com/products/Win32OpenSSL.html suggest binaries which depends on a "msvcr120.dll" file.
        The "msvcr120.dll" file comes from Visual C++ Redistributable Packages for Visual Studio 2013
        Note here version issued in 2013 - it's very important. 2015 and 2012 versions do not provide such a file.
        Correct way to resolve the dependency is to install Microsoft Visual C++ Redistributable 2013. Direct link to download from Microsoft site is https://www.microsoft.com/en-us/download/details.aspx?id=40784

        2nd link https://indy.fulgan.com/SSL/ suggests binaries which do not depend on the Microsoft Visual Studio Runtime DLLs, except for the system provided msvcrt.dll (which is installed by default).

        I've tested openssl-1.0.2f dlls from the 2nd link while C++ Redistributable 2013 was NOT installed and zabbix agent was able to work successfully with PSK encryption.
        It's possible to check for example using a Process Explorer , and make sure that the msvcr120.dll is not loaded by running zabbix agent.
        So, I personally would prefer to use openssl dlls from the 2nd link to run zabbix agent to monitored hosts.
        The 2nd link contains only 2 dll files in a zip archive, which is better than many dlls and in an exe installer from 1st link.

        Another point worth to mention is that location on openssl dll files.
        These files may be installed system-wide together with another software which needs them. For example PHP, OpenVPN, Nmap etc for Windows.
        Usually such software adds location of such files to a PATH environment variable, so they can be found/used by any other application.
        It's easily possible that such installed dlls are outdated and do not work as expected for encryption. Such case happened with me and other users in the past for vmware management console.
        So, to make sure that agent is using desired dlls, the most easy way is to place these 2 dlls in the same folder when zabbix_agentd.exe is located.
        I think it's not so bad approach to suggest in official documentation.

        I think that Zabbix should not distribute openssl dlls together with zabbix agent binaries, especially with the binary from Microsoft.
        Just links where to download required dlls should be provided.

        Show
        Oleksiy Zagorskyi added a comment - - edited I did some investigation and here are some details: Zabbix agent requires 2 dll files to perform encryption: ssleay32.dll, libeay32.dll A page https://wiki.openssl.org/index.php/Binaries suggests a few sources for such binaries. The 1st link https://slproweb.com/products/Win32OpenSSL.html suggest binaries which depends on a "msvcr120.dll" file. The "msvcr120.dll" file comes from Visual C++ Redistributable Packages for Visual Studio 2013 Note here version issued in 2013 - it's very important. 2015 and 2012 versions do not provide such a file. Correct way to resolve the dependency is to install Microsoft Visual C++ Redistributable 2013 . Direct link to download from Microsoft site is https://www.microsoft.com/en-us/download/details.aspx?id=40784 2nd link https://indy.fulgan.com/SSL/ suggests binaries which do not depend on the Microsoft Visual Studio Runtime DLLs, except for the system provided msvcrt.dll (which is installed by default). I've tested openssl-1.0.2f dlls from the 2nd link while C++ Redistributable 2013 was NOT installed and zabbix agent was able to work successfully with PSK encryption. It's possible to check for example using a Process Explorer , and make sure that the msvcr120.dll is not loaded by running zabbix agent. So, I personally would prefer to use openssl dlls from the 2nd link to run zabbix agent to monitored hosts. The 2nd link contains only 2 dll files in a zip archive, which is better than many dlls and in an exe installer from 1st link. Another point worth to mention is that location on openssl dll files. These files may be installed system-wide together with another software which needs them. For example PHP, OpenVPN, Nmap etc for Windows. Usually such software adds location of such files to a PATH environment variable, so they can be found/used by any other application. It's easily possible that such installed dlls are outdated and do not work as expected for encryption. Such case happened with me and other users in the past for vmware management console. So, to make sure that agent is using desired dlls, the most easy way is to place these 2 dlls in the same folder when zabbix_agentd.exe is located. I think it's not so bad approach to suggest in official documentation. I think that Zabbix should not distribute openssl dlls together with zabbix agent binaries, especially with the binary from Microsoft. Just links where to download required dlls should be provided.
        Hide
        Aleksandrs Saveljevs added a comment -

        I think that Zabbix should not distribute openssl dlls together with zabbix agent binaries, ...

        An important point in this regard then is documenting with which OpenSSL version Zabbix agent was compiled, so that users can download (or find on their own system) an appropriate version of OpenSSL DLL's.

        Quoting https://www.openssl.org/policies/releasestrat.html :

        Letter releases, such as 1.0.1a, exclusively contain bug and security fixes and no new features. Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and are likely to contain new features, but in a way that does not break binary compatibility. This means that an application compiled and dynamically linked with 1.0.0 does not need to be recompiled when the shared library is updated to 1.0.2.

        So if we compile Zabbix agent with OpenSSL 1.0.2c, users will be able to use OpenSSL 1.0.2f without problems, but will probably have to recompile the agent if they wish to upgrade to OpenSSL 1.1.0.

        Show
        Aleksandrs Saveljevs added a comment - I think that Zabbix should not distribute openssl dlls together with zabbix agent binaries, ... An important point in this regard then is documenting with which OpenSSL version Zabbix agent was compiled, so that users can download (or find on their own system) an appropriate version of OpenSSL DLL's. Quoting https://www.openssl.org/policies/releasestrat.html : Letter releases, such as 1.0.1a, exclusively contain bug and security fixes and no new features. Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and are likely to contain new features, but in a way that does not break binary compatibility. This means that an application compiled and dynamically linked with 1.0.0 does not need to be recompiled when the shared library is updated to 1.0.2. So if we compile Zabbix agent with OpenSSL 1.0.2c, users will be able to use OpenSSL 1.0.2f without problems, but will probably have to recompile the agent if they wish to upgrade to OpenSSL 1.1.0.
        Hide
        João Sena Ribeiro added a comment - - edited

        Has anyone thought about using the mbed TLS library instead of OpenSSL for this purpose? It may have less dependencies and it's released under the Apache license.

        The documentation recommends it over OpenSSL for PSK usage, anyway.

        Show
        João Sena Ribeiro added a comment - - edited Has anyone thought about using the mbed TLS library instead of OpenSSL for this purpose? It may have less dependencies and it's released under the Apache license. The documentation recommends it over OpenSSL for PSK usage, anyway.
        Hide
        dimir added a comment - - edited

        This is what we were doing when testing encryption with Zabbix agent on Windows and mbed TLS.

        Installing mbed TLS

        • download cmake from here (use Windows (Win32 Installer) version, during installation choose to install to system PATH for all users)
        • download the latest stable mbed TLS library from here (as of this article the latest stable version is 1.3.10)
        • unpack mbed TLS tarball e. g. to \tmp\mbedtls
        • open command-line application (cmd.exe)
        • go to \tmp\mbedtls
        • run commands:
          cmake -D CMAKE_BUILD_TYPE=Release -D CMAKE_C_FLAGS_RELEASE="/MT /O2 /Ob2 /D NDEBUG" CMakeLists.txt
          nmake
          

        Compiling Zabbix with mbed TLS support

        • go to Zabbix sources directory
        • go to build\win32\project
        • run command (use Makefile_agent_x64 for 64-bit version):
          nmake -f Makefile_agent TLS=mbedtls TLSINCDIR="\tmp\mbedtls\include" TLSLIBDIR="\tmp\mbedtls\library"
          

          Alternatively you can specify full path to static mbed TLS library (and this is the only option if your mbed TLS library is named differently):

          nmake -f Makefile_agent TLS=mbedtls TLSINCDIR="\tmp\mbedtls\include" TLSLIB="\tmp\mbedtls\library\polarssl.lib"
          
        Show
        dimir added a comment - - edited This is what we were doing when testing encryption with Zabbix agent on Windows and mbed TLS. Installing mbed TLS download cmake from here (use Windows (Win32 Installer) version, during installation choose to install to system PATH for all users) download the latest stable mbed TLS library from here (as of this article the latest stable version is 1.3.10) unpack mbed TLS tarball e. g. to \tmp\mbedtls open command-line application (cmd.exe) go to \tmp\mbedtls run commands: cmake -D CMAKE_BUILD_TYPE=Release -D CMAKE_C_FLAGS_RELEASE="/MT /O2 /Ob2 /D NDEBUG" CMakeLists.txt nmake Compiling Zabbix with mbed TLS support go to Zabbix sources directory go to build\win32\project run command (use Makefile_agent_x64 for 64-bit version): nmake -f Makefile_agent TLS=mbedtls TLSINCDIR="\tmp\mbedtls\include" TLSLIBDIR="\tmp\mbedtls\library" Alternatively you can specify full path to static mbed TLS library (and this is the only option if your mbed TLS library is named differently): nmake -f Makefile_agent TLS=mbedtls TLSINCDIR="\tmp\mbedtls\include" TLSLIB="\tmp\mbedtls\library\polarssl.lib"
        Hide
        Morten Olsen added a comment -

        @Aleksandrs Saveljevs
        Can you compile the Windows-64 bit binaries with GnuTLS please?

        Show
        Morten Olsen added a comment - @Aleksandrs Saveljevs Can you compile the Windows-64 bit binaries with GnuTLS please?
        Hide
        Aleksandrs Saveljevs added a comment -

        Morten, please find "Zabbix-3.0.3-with-GnuTLS-3.3.13-x86.zip" and "Zabbix-3.0.3-with-GnuTLS-3.4.9-x64.zip" attached.

        Show
        Aleksandrs Saveljevs added a comment - Morten, please find "Zabbix-3.0.3-with-GnuTLS-3.3.13-x86.zip" and "Zabbix-3.0.3-with-GnuTLS-3.4.9-x64.zip" attached.
        Hide
        Kamil added a comment -

        Where do I get or how to compile
        Zabbix Agent 3.0.4 openssl 1.0.2h Win64

        Show
        Kamil added a comment - Where do I get or how to compile Zabbix Agent 3.0.4 openssl 1.0.2h Win64
        Hide
        Robert Gladewitz added a comment -

        It is possible, to published Windows binaries for zabbix version 3.2.0 also??

        Show
        Robert Gladewitz added a comment - It is possible, to published Windows binaries for zabbix version 3.2.0 also??
        Hide
        Aleksandrs Saveljevs added a comment -

        Attaching the following compiled binaries for Zabbix 3.2.0:

        • Zabbix-3.2.0-with-GnuTLS-3.4.9-x64.zip
        • Zabbix-3.2.0-with-GnuTLS-3.4.9-x86.zip
        • Zabbix-3.2.0-with-OpenSSL-1.0.2h-x64.zip
        • Zabbix-3.2.0-with-OpenSSL-1.0.2h-x86.zip

        Could you please try running them and see if they work?

        Show
        Aleksandrs Saveljevs added a comment - Attaching the following compiled binaries for Zabbix 3.2.0: Zabbix-3.2.0-with-GnuTLS-3.4.9-x64.zip Zabbix-3.2.0-with-GnuTLS-3.4.9-x86.zip Zabbix-3.2.0-with-OpenSSL-1.0.2h-x64.zip Zabbix-3.2.0-with-OpenSSL-1.0.2h-x86.zip Could you please try running them and see if they work?
        Hide
        Thorsten Kramm added a comment -

        I tested Zabbix-3.2.0-with-GnuTLS-3.4.9-x64.zip and Zabbix-3.2.0-with-OpenSSL-1.0.2h-x64.zip.
        Both are working. Connection to zabbix server is established flawless using TLSConnect=psk.

        Using zabbix_agentd.exe with foreground option works. But using it as a windows service does not work.
        As soon as TLSConnect=psk is activated in configuration, service terminated immediately after starting.
        Windows throws the following error:

        Windows cloud not start die Zabbix Agent service on Local Computer
        Error 1067: The process terminated unexpectedly.

        Running zabbix agent as service without encryption works as expected.
        Tested on Windows Server 2012 R2.

        Using nssm.exe to register zabbix agent as service works as a workaround.

        C:\Program Files\zabbix>nssm.exe install Zabbix "C:\Program Files\zabbix\zabbix_agentd.exe" -f -c zabbix_agentd.conf
        Service "Zabbix" installed successfully!

        Show
        Thorsten Kramm added a comment - I tested Zabbix-3.2.0-with-GnuTLS-3.4.9-x64.zip and Zabbix-3.2.0-with-OpenSSL-1.0.2h-x64.zip. Both are working. Connection to zabbix server is established flawless using TLSConnect=psk. Using zabbix_agentd.exe with foreground option works. But using it as a windows service does not work. As soon as TLSConnect=psk is activated in configuration, service terminated immediately after starting. Windows throws the following error: Windows cloud not start die Zabbix Agent service on Local Computer Error 1067: The process terminated unexpectedly. Running zabbix agent as service without encryption works as expected. Tested on Windows Server 2012 R2. Using nssm.exe to register zabbix agent as service works as a workaround. C:\Program Files\zabbix>nssm.exe install Zabbix "C:\Program Files\zabbix\zabbix_agentd.exe" -f -c zabbix_agentd.conf Service "Zabbix" installed successfully!
        Hide
        Aleksandrs Saveljevs added a comment - - edited

        Thorsten, thanks for testing! I tried 32-bit binaries and they seem to work as a service with certificates and PSK on Windows Server 2008 (update: 64-bit binaries also work with PSK), but that might be a topic for discussion elsewhere (either on https://www.zabbix.org/wiki/Getting_help or a different JIRA issue if it turns out to be a bug).

        Show
        Aleksandrs Saveljevs added a comment - - edited Thorsten, thanks for testing! I tried 32-bit binaries and they seem to work as a service with certificates and PSK on Windows Server 2008 (update: 64-bit binaries also work with PSK), but that might be a topic for discussion elsewhere (either on https://www.zabbix.org/wiki/Getting_help or a different JIRA issue if it turns out to be a bug).
        Hide
        Aleksandrs Saveljevs added a comment - - edited

        While the full documentation will be handled in ZBXNEXT-3168, this comment attempts to document how the Zabbix 3.2.0 binaries above were built.

        As mentioned by Oleksiy Zagorskyi in one of the comments above, there are two main sources for Windows binaries for OpenSSL: (A) https://slproweb.com/products/Win32OpenSSL.html and (B) https://indy.fulgan.com/SSL/ . The first provides binaries that depend on some Microsoft DLL, the second is free of that dependency. Therefore, if we decide to distribute Zabbix agent together with OpenSSL libraries, we should probably choose (B).

        However, source (B) provides dynamic libraries at https://indy.fulgan.com/SSL/ and static libraries at https://indy.fulgan.com/SSL/LinkLibs/ , but it does not provide OpenSSL headers, which are required for building. Fortunately, those are provided in source (A). So my approach was to use headers from (A) and static libraries from (B) for building the binaries, and then package them with dynamic libraries from (B).

        For GnuTLS, it was much simpler - precompiled binaries from ftp://ftp.gnutls.org/gcrypt/gnutls/w32/ were used.

        Show
        Aleksandrs Saveljevs added a comment - - edited While the full documentation will be handled in ZBXNEXT-3168 , this comment attempts to document how the Zabbix 3.2.0 binaries above were built. As mentioned by Oleksiy Zagorskyi in one of the comments above, there are two main sources for Windows binaries for OpenSSL: (A) https://slproweb.com/products/Win32OpenSSL.html and (B) https://indy.fulgan.com/SSL/ . The first provides binaries that depend on some Microsoft DLL, the second is free of that dependency. Therefore, if we decide to distribute Zabbix agent together with OpenSSL libraries, we should probably choose (B). However, source (B) provides dynamic libraries at https://indy.fulgan.com/SSL/ and static libraries at https://indy.fulgan.com/SSL/LinkLibs/ , but it does not provide OpenSSL headers, which are required for building. Fortunately, those are provided in source (A). So my approach was to use headers from (A) and static libraries from (B) for building the binaries, and then package them with dynamic libraries from (B). For GnuTLS, it was much simpler - precompiled binaries from ftp://ftp.gnutls.org/gcrypt/gnutls/w32/ were used.
        Hide
        Aleksandrs Saveljevs added a comment -

        Regarding ABI compatibility, there is a nice release strategy for OpenSSL mentioned in this comment, which basically says that users can upgrade OpenSSL dynamic libraries from 1.0.x to 1.0.y without recompiling Zabbix binaries.

        For GnuTLS, I have not found such a statement. However, the following quote from http://www.gnutls.org/devel.html looks promising:

        Our goal is to deliver a stable API and ABI for the library, but on certain major releases we have decided to break the ABI in order to deprecate old APIs and avoid clutter. To ensure API and ABI stability we rely on abi-compliance-checker and other tools.

        They also have a nice ABI tracker at https://gnutls.org/abi-tracker/timeline/gnutls/index.html , which shows that backward-incompatible changes tend to only be done in major releases (the second number in the version).

        Show
        Aleksandrs Saveljevs added a comment - Regarding ABI compatibility, there is a nice release strategy for OpenSSL mentioned in this comment , which basically says that users can upgrade OpenSSL dynamic libraries from 1.0.x to 1.0.y without recompiling Zabbix binaries. For GnuTLS, I have not found such a statement. However, the following quote from http://www.gnutls.org/devel.html looks promising: Our goal is to deliver a stable API and ABI for the library, but on certain major releases we have decided to break the ABI in order to deprecate old APIs and avoid clutter. To ensure API and ABI stability we rely on abi-compliance-checker and other tools. They also have a nice ABI tracker at https://gnutls.org/abi-tracker/timeline/gnutls/index.html , which shows that backward-incompatible changes tend to only be done in major releases (the second number in the version).
        Hide
        Aleksandrs Saveljevs added a comment - - edited

        Regarding distribution, if we decide to include OpenSSL and GnuTLS libraries, Oleksiy Zagorskyi suggested to also include a README.txt file, which describes where these libraries come from.

        One question in this regard is a legal one. For instance, OpenSSL FAQ states (see https://www.openssl.org/docs/faq.html#LEGAL2 ):

        2. Can I use OpenSSL with GPL software?

        On many systems including the major Linux and BSD distributions, yes (the GPL does not place restrictions on using libraries that are part of the normal operating system distribution).

        On other systems, the situation is less clear. Some GPL software copyright holders claim that you infringe on their rights if you use OpenSSL with their software on operating systems that don't normally include OpenSSL.

        If you develop open source software that uses OpenSSL, you may find it useful to choose an other license than the GPL, or state explicitly that "This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed." If you are using GPL software developed by others, you may want to ask the copyright holder for permission to use their software with OpenSSL.

        In this particular case, it is probably apparent that we do not mind that Zabbix is being used with OpenSSL, because we specifically develop for it.

        Then there is also this note at https://www.openssl.org/source/ :

        Legalities

        Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention to any laws or regulations which apply to you. The authors of openssl are not liable for any violations you make here. So be careful, it is your responsibility.

        Not a lawyer, so not sure how scary that is to put OpenSSL and GnuTLS binaries on our website.

        Oleksiy Zagorskyi If take into account how other software, who uses openssl for example, we see that they include the libraries to their windows installers/archives. For example PHP, OpenVPN and probably many other.
        Picture of fresh downloads:
        PHP provides a zip archive, where in root we see 2 openssl DLLs. Binaries with the same version/arch as in zabbix (1.0.2h) has different size. It looks like it does require one of MS VC <NN> installed.

        OpenVPN provides an installer, where default option is to install OpenSSL DLLs locally is enabled. Locally - means copy them to openvpn*.exe files installation path. There are 2 other libs, installed the same way. Looks like MS VC <NN> is not required.

        So other software, say similar to zabbix, go that approach, and I don't see reasons zabbix could not do the same.
        Don't even want to think about different licenses because it will be nightmare.

        OpenSSL DLLs suggested by zabbix (source B), in difference with the PHP/OpenVPN, has one additional property "Comment":

        Compiled by Frederik A. Winkelsdorf (opendec.wordpress.com) for the Indy Project (www.indyproject.org)

        that's useful.

        But I'd still include a README.txt (or something like that, like DLL-NOTES.txt, it would be even better) in archives with zabbix agent, where would mention source of these files.

        Show
        Aleksandrs Saveljevs added a comment - - edited Regarding distribution, if we decide to include OpenSSL and GnuTLS libraries, Oleksiy Zagorskyi suggested to also include a README.txt file, which describes where these libraries come from. One question in this regard is a legal one. For instance, OpenSSL FAQ states (see https://www.openssl.org/docs/faq.html#LEGAL2 ): 2. Can I use OpenSSL with GPL software? On many systems including the major Linux and BSD distributions, yes (the GPL does not place restrictions on using libraries that are part of the normal operating system distribution). On other systems, the situation is less clear. Some GPL software copyright holders claim that you infringe on their rights if you use OpenSSL with their software on operating systems that don't normally include OpenSSL. If you develop open source software that uses OpenSSL, you may find it useful to choose an other license than the GPL, or state explicitly that "This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed." If you are using GPL software developed by others, you may want to ask the copyright holder for permission to use their software with OpenSSL. In this particular case, it is probably apparent that we do not mind that Zabbix is being used with OpenSSL, because we specifically develop for it. Then there is also this note at https://www.openssl.org/source/ : Legalities Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention to any laws or regulations which apply to you. The authors of openssl are not liable for any violations you make here. So be careful, it is your responsibility. Not a lawyer, so not sure how scary that is to put OpenSSL and GnuTLS binaries on our website. Oleksiy Zagorskyi If take into account how other software, who uses openssl for example, we see that they include the libraries to their windows installers/archives. For example PHP, OpenVPN and probably many other. Picture of fresh downloads: PHP provides a zip archive, where in root we see 2 openssl DLLs. Binaries with the same version/arch as in zabbix (1.0.2h) has different size. It looks like it does require one of MS VC <NN> installed. OpenVPN provides an installer, where default option is to install OpenSSL DLLs locally is enabled. Locally - means copy them to openvpn*.exe files installation path. There are 2 other libs, installed the same way. Looks like MS VC <NN> is not required. So other software, say similar to zabbix, go that approach, and I don't see reasons zabbix could not do the same. Don't even want to think about different licenses because it will be nightmare. OpenSSL DLLs suggested by zabbix (source B), in difference with the PHP/OpenVPN, has one additional property "Comment": Compiled by Frederik A. Winkelsdorf (opendec.wordpress.com) for the Indy Project (www.indyproject.org) that's useful. But I'd still include a README.txt (or something like that, like DLL-NOTES.txt, it would be even better) in archives with zabbix agent, where would mention source of these files.
        Hide
        Aleksandrs Saveljevs added a comment -

        For OpenSSL binaries, we should decide whether we wish to compile with OpenSSL 1.0.x or OpenSSL 1.1.0. The latter is possible since ZBX-11149.

        Show
        Aleksandrs Saveljevs added a comment - For OpenSSL binaries, we should decide whether we wish to compile with OpenSSL 1.0.x or OpenSSL 1.1.0. The latter is possible since ZBX-11149 .
        Hide
        Andris Mednis added a comment -

        Compiling with OpenSSL 1.1.0 adds some Perfect Forward Secrecy ciphersuites for PSK, on the other hand it is very new. If possible build with both libraries. Users can choose.

        Show
        Andris Mednis added a comment - Compiling with OpenSSL 1.1.0 adds some Perfect Forward Secrecy ciphersuites for PSK, on the other hand it is very new. If possible build with both libraries. Users can choose.
        Hide
        Bo Bashev added a comment - - edited

        It is possible, to published Windows binaries for zabbix version 3.2.0 for PSK ????

        Show
        Bo Bashev added a comment - - edited It is possible, to published Windows binaries for zabbix version 3.2.0 for PSK ????
        Hide
        Nick Duke added a comment -

        If you aren't going to include TLS support in the pre-compiled Windows binaries at least put a better error in the agent log file when it quits because the TLS parameters are not supported. In the default state of debug=3 there is nothing at all in the log, even though it fatal errors and exits.

        Show
        Nick Duke added a comment - If you aren't going to include TLS support in the pre-compiled Windows binaries at least put a better error in the agent log file when it quits because the TLS parameters are not supported. In the default state of debug=3 there is nothing at all in the log, even though it fatal errors and exits.
        Hide
        Sathya Laufer added a comment -

        I compiled version 3.2.3 with GnuTLS 3.4.9 for 64-bit Windows. It can be downloaded here: https://gitit.de/sathya/zabbix-agent-windows-x64-gnutls/

        Show
        Sathya Laufer added a comment - I compiled version 3.2.3 with GnuTLS 3.4.9 for 64-bit Windows. It can be downloaded here: https://gitit.de/sathya/zabbix-agent-windows-x64-gnutls/
        Hide
        Thomas Oftring added a comment -

        Is there any plan to release official Zabbix Agent binaries for Windows with PSK?
        Customers don`t understand that Zabbix does not release one.

        Show
        Thomas Oftring added a comment - Is there any plan to release official Zabbix Agent binaries for Windows with PSK? Customers don`t understand that Zabbix does not release one.
        Hide
        dimir added a comment -

        Will try to get some attention to this.

        Show
        dimir added a comment - Will try to get some attention to this.
        Hide
        dimir added a comment -

        We need more votes to get attention to this task. Please ask more people to vote for it.

        Show
        dimir added a comment - We need more votes to get attention to this task. Please ask more people to vote for it.
        Hide
        Antti Hurme added a comment -

        Voted, this would be really to have out of the box from the zabbix official site.

        Show
        Antti Hurme added a comment - Voted, this would be really to have out of the box from the zabbix official site.
        Hide
        mma added a comment -

        Already voted !

        Show
        mma added a comment - Already voted !
        Hide
        Sathya Laufer added a comment -

        A vote from me, too.

        Show
        Sathya Laufer added a comment - A vote from me, too.
        Hide
        richlv added a comment -

        please note that comments are not votes and only make the issue less likely to be checked by the developers - they have more comments to read through
        see http://zabbix.org/wiki/Docs/bug_reporting_guidelines for more detail

        Show
        richlv added a comment - please note that comments are not votes and only make the issue less likely to be checked by the developers - they have more comments to read through see http://zabbix.org/wiki/Docs/bug_reporting_guidelines for more detail
        Hide
        Sebastian Treu added a comment -

        Any special place where to put those .dlls files? I can't start the services.

        This works:

        zabbix_agentd.exe --multiple-agents --install --config <config_file_1>
        zabbix_agentd.exe --multiple-agents --install --config <config_file_2>
        

        This don't:

        zabbix_agentd.exe --multiple-agents --start --config <config_file_1>
        zabbix_agentd.exe --multiple-agents --start --config <config_file_2>
        

        The error is: "The service did not respond to the start or control request in a timely fashion."

        config file 1:

        TLSConnect=unencrypted
        TLSAccept=unencrypted
        TLSPSKFile=foobar
        TLSPSKIdentity=my-psk
        HostnameItem=system.run[echo unencrypted-%COMPUTERNAME%]
        HostMetadata=123 windows
        Timeout=15
        ServerActive=<server-ip>
        RefreshActiveChecks=60
        Server=<server-ip>
        LogType=system
        

        config file 2:

        TLSConnect=psk
        TLSAccept=psk
        TLSPSKFile=foobar
        TLSPSKIdentity=my-psk
        HostnameItem=system.run[echo psk-%COMPUTERNAME%]
        HostMetadata=123 windows
        Timeout=15
        ServerActive=<server-ip>
        RefreshActiveChecks=60
        Server=<server-ip>
        LogType=system
        

        What I found so far is that when removing all TLS* options agent will start. But it won't start when setting TLSPSKIdentity or TLSPSKFile no matter if you've set TLSAccept or TLSConnect to unencrypted.

        Anyway, trying to use psk encryption is a no go for me with: Zabbix-3.2.0-with-OpenSSL-1.0.2h-x86 and Zabbix-3.2.0-with-GnuTLS-3.4.9-x86. Any ideas if I need to put those .ddl's in some specific directory? I've tried putting them in C:\Windows\System32 with no luck.

        Show
        Sebastian Treu added a comment - Any special place where to put those .dlls files? I can't start the services. This works: zabbix_agentd.exe --multiple-agents --install --config <config_file_1> zabbix_agentd.exe --multiple-agents --install --config <config_file_2> This don't: zabbix_agentd.exe --multiple-agents --start --config <config_file_1> zabbix_agentd.exe --multiple-agents --start --config <config_file_2> The error is: "The service did not respond to the start or control request in a timely fashion." config file 1: TLSConnect=unencrypted TLSAccept=unencrypted TLSPSKFile=foobar TLSPSKIdentity=my-psk HostnameItem=system.run[echo unencrypted-%COMPUTERNAME%] HostMetadata=123 windows Timeout=15 ServerActive=<server-ip> RefreshActiveChecks=60 Server=<server-ip> LogType=system config file 2: TLSConnect=psk TLSAccept=psk TLSPSKFile=foobar TLSPSKIdentity=my-psk HostnameItem=system.run[echo psk-%COMPUTERNAME%] HostMetadata=123 windows Timeout=15 ServerActive=<server-ip> RefreshActiveChecks=60 Server=<server-ip> LogType=system What I found so far is that when removing all TLS* options agent will start. But it won't start when setting TLSPSKIdentity or TLSPSKFile no matter if you've set TLSAccept or TLSConnect to unencrypted . Anyway, trying to use psk encryption is a no go for me with: Zabbix-3.2.0-with-OpenSSL-1.0.2h-x86 and Zabbix-3.2.0-with-GnuTLS-3.4.9-x86 . Any ideas if I need to put those .ddl's in some specific directory? I've tried putting them in C:\Windows\System32 with no luck.
        Hide
        Sebastian Treu added a comment - - edited

        Found the issue... A bad generated hex string inside the psk file. Weird. I think something may be wrong in the agent code. Why would the process hang when setting TLSAccept=unencrypted and having an invalid psk file, it should be ignored.

        Show
        Sebastian Treu added a comment - - edited Found the issue... A bad generated hex string inside the psk file. Weird. I think something may be wrong in the agent code. Why would the process hang when setting TLSAccept=unencrypted and having an invalid psk file, it should be ignored.
        Hide
        Sebastian Treu added a comment -

        Oh, BTW, important note: the PSK file MUST end with a newline. That's more weird indeed.

        Show
        Sebastian Treu added a comment - Oh, BTW, important note: the PSK file MUST end with a newline. That's more weird indeed.
        Hide
        Aleksandr Musaev added a comment - - edited

        Zabbix-3.2.4-with-mbed-TLS-1.3.19-x64 https://yadi.sk/d/PS-W6cXJ3HGmwQ
        Zabbix-3.2.4-with-mbed-TLS-1.3.19-x86 https://yadi.sk/d/Rd0rMo3B3HGmwe

        Zabbix-3.2.5-with-mbed-TLS-1.3.19-x64 https://yadi.sk/d/y5JiVTJO3HMhSn
        Zabbix-3.2.5-with-mbed-TLS-1.3.19-x86 https://yadi.sk/d/LZof5CfE3HMhSv

        Show
        Aleksandr Musaev added a comment - - edited Zabbix-3.2.4-with-mbed-TLS-1.3.19-x64 https://yadi.sk/d/PS-W6cXJ3HGmwQ Zabbix-3.2.4-with-mbed-TLS-1.3.19-x86 https://yadi.sk/d/Rd0rMo3B3HGmwe Zabbix-3.2.5-with-mbed-TLS-1.3.19-x64 https://yadi.sk/d/y5JiVTJO3HMhSn Zabbix-3.2.5-with-mbed-TLS-1.3.19-x86 https://yadi.sk/d/LZof5CfE3HMhSv
        Hide
        darshan added a comment -

        Hi,

        I have tried all the openssl builds, but with all if them I keep on getting the error below, the CA is a local server.
        The CA certificates are working fine with Linux and Mac OSX clients.
        I couldn't find much online abt this error. Can anyone please suggest what I need to do?

        ========
        cannot load CA certificate(s) from file ""c:\Program Files\Zabbix\ssl\certs\ca.pem"": file .\crypto\bio\bss_file.c line 175: error:0200107B:system library:fopen:Unknown error: fopen('"c:\Program Files\Zabbix\ssl\certs\ca.pem"','r') file .\crypto\bio\bss_file.c line 180: error:2006D002:BIO routines:BIO_new_file:system lib file .\crypto\x509\by_file.c line 253: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
        ========

        Show
        darshan added a comment - Hi, I have tried all the openssl builds, but with all if them I keep on getting the error below, the CA is a local server. The CA certificates are working fine with Linux and Mac OSX clients. I couldn't find much online abt this error. Can anyone please suggest what I need to do? ======== cannot load CA certificate(s) from file ""c:\Program Files\Zabbix\ssl\certs\ca.pem"": file .\crypto\bio\bss_file.c line 175: error:0200107B:system library:fopen:Unknown error: fopen('"c:\Program Files\Zabbix\ssl\certs\ca.pem"','r') file .\crypto\bio\bss_file.c line 180: error:2006D002:BIO routines:BIO_new_ file:system lib file .\crypto\x509\by_file.c line 253: error:0B084002:x509 certificate routines:X509_load_cert_crl_ file:system lib ========
        Hide
        darshan added a comment -

        The error above was caused by quotations around the file path

        TLSAccept=cert
        TLSConnect=cert
        TLSCAFile="c:\Program Files\Zabbix\ssl\certs\ca.pem"
        TLSCertFile="c:\Program Files\Zabbix\ssl\certs\steveb-w10-van.uds.anu.edu.au.pem"
        TLSKeyFile="c:\Program Files\Zabbix\ssl\private_keys\steveb-w10-van.uds.anu.edu.au.pem"

        removing them resolved the error

        Show
        darshan added a comment - The error above was caused by quotations around the file path TLSAccept=cert TLSConnect=cert TLSCAFile="c:\Program Files\Zabbix\ssl\certs\ca.pem" TLSCertFile="c:\Program Files\Zabbix\ssl\certs\steveb-w10-van.uds.anu.edu.au.pem" TLSKeyFile="c:\Program Files\Zabbix\ssl\private_keys\steveb-w10-van.uds.anu.edu.au.pem" removing them resolved the error
        Hide
        KF added a comment -

        I downloaded 'Zabbix-3.2.5-with-mbed-TLS-1.3.19-x64' compiled by Alexander. However, Windows Defender deleted it immediately as it said it contained a trojan.

        A zabbix supported precompiled version would be greatly appreciated.

        Show
        KF added a comment - I downloaded 'Zabbix-3.2.5-with-mbed-TLS-1.3.19-x64' compiled by Alexander. However, Windows Defender deleted it immediately as it said it contained a trojan. A zabbix supported precompiled version would be greatly appreciated.
        Hide
        Alexandr added a comment -

        Zabbix agent 3.2.6 availible?

        Show
        Alexandr added a comment - Zabbix agent 3.2.6 availible?
        Hide
        Kay Baur added a comment -

        Zabbix agent 3.4 availible?

        Show
        Kay Baur added a comment - Zabbix agent 3.4 availible?
        Hide
        Aleksandr Musaev added a comment -

        Zabbix-3.4.1-with-GnuTLS-3.6.0.1-x86_64 https://drive.google.com/open?id=0ByXlAhQQidqSLU1jREpRM0VaTzA
        Zabbix-3.4.1-with-OpenSSL-1.1.0f-x86_64 https://drive.google.com/open?id=0ByXlAhQQidqSZUlWQmtJUGN2SnM

        Show
        Aleksandr Musaev added a comment - Zabbix-3.4.1-with-GnuTLS-3.6.0.1-x86_64 https://drive.google.com/open?id=0ByXlAhQQidqSLU1jREpRM0VaTzA Zabbix-3.4.1-with-OpenSSL-1.1.0f-x86_64 https://drive.google.com/open?id=0ByXlAhQQidqSZUlWQmtJUGN2SnM
        Hide
        Andris Mednis added a comment -

        Please note that Zabbix agents in attachments are neither compiled by current Zabbix employees nor supported by Zabbix.

        Show
        Andris Mednis added a comment - Please note that Zabbix agents in attachments are neither compiled by current Zabbix employees nor supported by Zabbix.
        Hide
        Thomas Oftring added a comment -

        The real problem is, there is no supported Windows Agent with Encryption, but Zabbix advertises with Enterprise Ready and encryption.
        See here: https://www.zabbix.com/enterprise_ready (Paragraph Security)
        No word about that there is no official supported agent for Windows by Zabbix itself. The most customers and Zabbix Users also have
        Windows systems, they would like to monitor and use Encryption. It's beyond their comprehension why there is encryption support in Zabbix but not for the windows systems.
        This change request is open since near two years, hope that Zabbix would react to this in the future.

        Show
        Thomas Oftring added a comment - The real problem is, there is no supported Windows Agent with Encryption, but Zabbix advertises with Enterprise Ready and encryption. See here: https://www.zabbix.com/enterprise_ready (Paragraph Security) No word about that there is no official supported agent for Windows by Zabbix itself. The most customers and Zabbix Users also have Windows systems, they would like to monitor and use Encryption. It's beyond their comprehension why there is encryption support in Zabbix but not for the windows systems. This change request is open since near two years, hope that Zabbix would react to this in the future.
        Hide
        sh0thub added a comment -

        Hello, today I successfully compiled zabbix agent 3.0.11 with TLS support (openssl 1.1.0f) on Windows 10 Pro using VS2015 with the steps:

        1. Download Visual C++ 2015 Build Tools from http://landinghub.visualstudio.com/visual-cpp-build-tools (direct link: http://go.microsoft.com/fwlink/?LinkId=691126)
        2. Install Visual C++ 2015 Build Tools with checked SDK for Windows 10
        3. Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src
        4. Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to sucessfully compile:
          • Change line in resources.rc file from #include "afxres.h" to #include "windows.h"
          • Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o
        5. Download and install OpenSSL 1.1.0f (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html
        6. Run VC2015 shell using Start\Programs\Visual C++ Build Tools\Windows Desktop Command Prompts
          • For compile 32-bit zabbix agent run Visual C++ 2015 x86 Native Build Tools Command Prompt
          • For compile 64-bit zabbix agent run Visual C++ 2015 x64 Native Build Tools Command Prompt
        7. cd to extracted zabbix sources, subfolder build\win32\project:
          • CD C:\zabbix_src\build\win32\project
        8. Run nmake with these parameters:
          • For compile 32-bit zabbix agent run: nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib"
          • For compile 64-bit zabbix agent run: nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib"
          • Note: Before running another compilation, please create empty copy of zabbix sources, simple "nmake clear" is not enough.
        9. Compiled binaries will be in:
          • For 32-bit: C:\zabbix_src\bin\win32
          • For 64-bit: C:\zabbix_src\bin\win64
        10. Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe)
          • For 32-bit: C:\OpenSSL-Win32\bin\msvcr120.dll, C:\OpenSSL-Win32\libcrypto-1_1.dll, C:\OpenSSL-Win32\libssl-1_1.dll
          • For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll
        11. Enjoy zabbix agent with TLS
        12. Check compiled TLS support in zabbix_agentd log file: TLS support: YES

        I only tested VS2015, but 2017 will probably work too.
        I hope this helps.

        Show
        sh0thub added a comment - Hello, today I successfully compiled zabbix agent 3.0.11 with TLS support (openssl 1.1.0f) on Windows 10 Pro using VS2015 with the steps: Download Visual C++ 2015 Build Tools from http://landinghub.visualstudio.com/visual-cpp-build-tools (direct link: http://go.microsoft.com/fwlink/?LinkId=691126 ) Install Visual C++ 2015 Build Tools with checked SDK for Windows 10 Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to sucessfully compile: Change line in resources.rc file from #include "afxres.h" to #include "windows.h" Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o Download and install OpenSSL 1.1.0f (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html For compile 32-bit zabbix agent download Win32 OpenSSL v1.1.0f - https://slproweb.com/download/Win32OpenSSL-1_1_0f.exe For compile 64-bit zabbix agent download Win64 Win64 OpenSSL v1.1.0f - https://slproweb.com/download/Win64OpenSSL-1_1_0f.exe Run VC2015 shell using Start\Programs\Visual C++ Build Tools\Windows Desktop Command Prompts For compile 32-bit zabbix agent run Visual C++ 2015 x86 Native Build Tools Command Prompt For compile 64-bit zabbix agent run Visual C++ 2015 x64 Native Build Tools Command Prompt cd to extracted zabbix sources, subfolder build\win32\project: CD C:\zabbix_src\build\win32\project Run nmake with these parameters: For compile 32-bit zabbix agent run: nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib" For compile 64-bit zabbix agent run: nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib" Note: Before running another compilation, please create empty copy of zabbix sources, simple "nmake clear" is not enough. Compiled binaries will be in: For 32-bit: C:\zabbix_src\bin\win32 For 64-bit: C:\zabbix_src\bin\win64 Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe) For 32-bit: C:\OpenSSL-Win32\bin\msvcr120.dll, C:\OpenSSL-Win32\libcrypto-1_1.dll, C:\OpenSSL-Win32\libssl-1_1.dll For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll Enjoy zabbix agent with TLS Check compiled TLS support in zabbix_agentd log file: TLS support: YES I only tested VS2015, but 2017 will probably work too. I hope this helps.
        Hide
        Andris Mednis added a comment -

        Thanks, sh0thub, for sharing !
        VS 2017 RC Community Edition works, too.

        Show
        Andris Mednis added a comment - Thanks, sh0thub , for sharing ! VS 2017 RC Community Edition works, too.
        Hide
        sh0thub added a comment -

        I successfully compiled also zabbix agent 3.4.2 with TLS support (openssl 1.1.0f) on Windows 10 Pro using VS2015. Due to new dependency for zabbix 3.4 (PCRE library), there are little more steps in this howto. I tested only 64-bit agent, but 32-bit should work too...

        1. Download Visual C++ 2015 Build Tools from http://landinghub.visualstudio.com/visual-cpp-build-tools (direct link: http://go.microsoft.com/fwlink/?LinkId=691126)
        2. Install Visual C++ 2015 Build Tools with checked SDK for Windows 10
        3. Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src
        4. Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to sucessfully compile:
          • Change line in resources.rc file from #include "afxres.h" to #include "windows.h"
          • Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o
        5. Download and install OpenSSL 1.1.0f (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html
        6. Download PCRE library (new mandatory library for zabbix 3.4) from pcre.org, version 8.XX, not pcre2 (ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.zip)
        7. Extract to directory C:\pcre-8.41
        8. Install CMake from https://cmake.org/download/, during install select: Add CMake to system PATH for all users (tested version 3.9.4)
        9. Run VC2015 shell using Start\Programs\Visual Studio 2015\Visual Studio Tools\Windows Desktop Command Prompts\
          • For compile 64-bit zabbix agent run VS2015 x64 Native Tools Command Prompt
        10. Create directory build in C:\pcre-8.41
          • cd C:\pcre-8.41
          • mkdir build
          • cd build
        11. Run cmake command:
          • cmake -G "Visual Studio 14 2015 Win64" -DPCRE_SUPPORT_UNICODE_PROPERTIES=ON -DPCRE_SUPPORT_UTF=ON -DCMAKE_C_FLAGS_RELEASE:string="/MT" ..
        12. Compile pcre library with:
          • msbuild PCRE.sln /property:Configuration="Release"
        13. cd to extracted zabbix sources, subfolder build\win32\project:
          • CD C:\zabbix_src\build\win32\project
        14. Run nmake with these parameters:
          • For compile 64-bit zabbix agent run: nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib" PCREINCDIR=c:\pcre-8.41 PCRELIBDIR=c:\pcre-8.41\build\Release
        15. Note: nmake without specified Makefile compile zabbix_agentd, zabbix_sender, zabbix_get and zabbix_sender_dll. If you only want one component, add corresponding parameter at the end of nmake command:
          • /f Makefile_agent
          • /f Makefile_get
          • /f Makefile_sender
          • /f Makefile_sender_dll
        16. Compiled binaries will be in:
          • For 64-bit: C:\zabbix_src\bin\win64
        17. Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe, or zabbix_sender, zabbix_get)
          • For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll

        It would be great, to have officially support for TLS, so you can't compile own agent...
        Happy compiling...

        Show
        sh0thub added a comment - I successfully compiled also zabbix agent 3.4.2 with TLS support (openssl 1.1.0f) on Windows 10 Pro using VS2015. Due to new dependency for zabbix 3.4 (PCRE library), there are little more steps in this howto. I tested only 64-bit agent, but 32-bit should work too... Download Visual C++ 2015 Build Tools from http://landinghub.visualstudio.com/visual-cpp-build-tools (direct link: http://go.microsoft.com/fwlink/?LinkId=691126 ) Install Visual C++ 2015 Build Tools with checked SDK for Windows 10 Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to sucessfully compile: Change line in resources.rc file from #include "afxres.h" to #include "windows.h" Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o Download and install OpenSSL 1.1.0f (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html For compile 64-bit zabbix agent download Win64 Win64 OpenSSL v1.1.0f - https://slproweb.com/download/Win64OpenSSL-1_1_0f.exe Download PCRE library (new mandatory library for zabbix 3.4) from pcre.org, version 8.XX, not pcre2 ( ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.zip ) Extract to directory C:\pcre-8.41 Install CMake from https://cmake.org/download/ , during install select: Add CMake to system PATH for all users (tested version 3.9.4) Run VC2015 shell using Start\Programs\Visual Studio 2015\Visual Studio Tools\Windows Desktop Command Prompts\ For compile 64-bit zabbix agent run VS2015 x64 Native Tools Command Prompt Create directory build in C:\pcre-8.41 cd C:\pcre-8.41 mkdir build cd build Run cmake command: cmake -G "Visual Studio 14 2015 Win64" -DPCRE_SUPPORT_UNICODE_PROPERTIES=ON -DPCRE_SUPPORT_UTF=ON -DCMAKE_C_FLAGS_RELEASE:string="/MT" .. Compile pcre library with: msbuild PCRE.sln /property:Configuration="Release" cd to extracted zabbix sources, subfolder build\win32\project: CD C:\zabbix_src\build\win32\project Run nmake with these parameters: For compile 64-bit zabbix agent run: nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib" PCREINCDIR=c:\pcre-8.41 PCRELIBDIR=c:\pcre-8.41\build\Release Note: nmake without specified Makefile compile zabbix_agentd, zabbix_sender, zabbix_get and zabbix_sender_dll. If you only want one component, add corresponding parameter at the end of nmake command: /f Makefile_agent /f Makefile_get /f Makefile_sender /f Makefile_sender_dll Compiled binaries will be in: For 64-bit: C:\zabbix_src\bin\win64 Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe, or zabbix_sender, zabbix_get) For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll It would be great, to have officially support for TLS, so you can't compile own agent... Happy compiling...

          People

          • Assignee:
            Andris Mednis
            Reporter:
            James Lodge
          • Votes:
            54 Vote for this issue
            Watchers:
            58 Start watching this issue

            Dates

            • Created:
              Updated:

              Agile