-
Type:
New Feature Request
-
Status: In Progress
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: 3.2.1
-
Fix Version/s: 5.0.0beta1 (master), 5.0 (plan)
-
Component/s: Agent (G), Proxy (P), Server (S)
-
Environment:CentOS 6
-
Team:Team A
-
Sprint:Sprint 59 (Dec 2019), Sprint 60 (Jan 2020), Sprint 61 (Feb 2020)
-
Story Points:2
When my 3.2.1 zabbix server starts, it immediately crashes with: cannot set list of PSK ciphersuites: file ssl_lib.c line 1314: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
It appears when support for OpenSSL 1.1.0 was added, the minimum ciphersuite selection was reduced from "RSA+aRSA+AES128" to "PSK-AES128-CBC-SHA". My CentOS 6 openssl doesn't support PSK-AES128-CBC-SHA, but it does have 3 supported ciphers that match RSA+aRSA+AES128.
Ideally there would be a TLSCiphers configuration setting that allows specifying them manually with a sane default, but in the near term can we make the ZBX_CIPHERS_PSK define be set to "RSA+aRSA+AES128", which would support the previously cipher suites properly.