Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-3604

Hardcoded Ciphers

          Details

          • Type: Change Request
          • Status: Need info
          • Priority: Critical
          • Resolution: Unresolved
          • Affects Version/s: 3.2.1
          • Fix Version/s: None
          • Component/s: Agent (G), Proxy (P), Server (S)
          • Labels:
          • Environment:
            CentOS 6

            Description

            When my 3.2.1 zabbix server starts, it immediately crashes with: cannot set list of PSK ciphersuites: file ssl_lib.c line 1314: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

            It appears when support for OpenSSL 1.1.0 was added, the minimum ciphersuite selection was reduced from "RSA+aRSA+AES128" to "PSK-AES128-CBC-SHA". My CentOS 6 openssl doesn't support PSK-AES128-CBC-SHA, but it does have 3 supported ciphers that match RSA+aRSA+AES128.

            Ideally there would be a TLSCiphers configuration setting that allows specifying them manually with a sane default, but in the near term can we make the ZBX_CIPHERS_PSK define be set to "RSA+aRSA+AES128", which would support the previously cipher suites properly.

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    ruckc Curtis Ruck
                  • Votes:
                    4 Vote for this issue
                    Watchers:
                    7 Start watching this issue

                    Dates

                    • Created:
                      Updated: