Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-3395

make client authentication optional in TLS communication with certificates

    XMLWordPrintable

Details

    • Change Request
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.0.3
    • None
    • Agent (G), Proxy (P), Server (S)
    • None
    • Agent on Windows 2008-2012 and Linux RHEL6, server Linux RHEL6

    Description

      Dear team,

      we are working with agent-server communication encryption

      • two-way encryption works fine ?
      • we would like to have one-way encryption (asymmetric) so when client initiate communication with server (while keeping it unencrypted the other way around).
        The problem we have with one way encryption is that, even if only TLSConnect is equal to "cert", so encryption should be used only for agent outbound connections, the agent will not start without an agent certificate as well/key.

      I.e. agent configuration file:
      Hostname=XXXXXX
      LogFile=D:\zabbix\Zabbix_agentd.log
      DebugLevel=4
      TLSConnect=cert
      TLSAccept=unencrypted
      TLSCAFile=D:\eon\zabbix\zabbix_ca_file
      EnableRemoteCommands=1
      LogRemoteCommands=1
      Server=YYYY
      ServerActive=YYYY
      Include=D:\zabbix\zabbix_agentd.userparams.conf

      The agent on Windows will not start.

      The same happens with the Linux agent ? but providing a clearer error:
      Starting Zabbix agent: zabbix_agentd [16788]: ERROR: parameter "TLSConnect" value requires "TLSCertFile", but it is not defined

      Is this expected, i.e. by design Zabbix is using not only encryption but also client authentication over TLS (so the server will ask the client, in this case the agent to provide its certificate to authenticate it? Otherwise, if this is not the intended design, can it be classified as an issue/bug?

      Thanks in advance for your help
      Cheers
      Marco

      Attachments

        Activity

          People

            Unassigned Unassigned
            pioltellim MarcoP
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: