-
Type:
Change Request
-
Resolution: Unresolved
-
Priority:
Trivial
-
None
-
Affects Version/s: 4.0.12, 4.2.6, 4.4.0alpha3
-
Component/s: Agent (G), Server (S)
-
Environment:CentOS 7.7
native openssl - OpenSSL 1.0.2k-fips 26 Jan 2017
It's my first problem report, so if there is something i did wrong, please say so.
Steps to reproduce:
For CentOS 7.7
In zabbix agent
Have a certificate (for instance a site ECDSA HTTPS certificate) and add in agent config and then restart the agent.
TLSConnect = cert
TLSAccept = cert
# OS CA list for certificate chain validation
TLSCAFile = /etc/pki/tls/certs/ca-bundle.crt
# Zabbix agent (CLIENT) certificate/chain and private key
TLSCertFile = /path/to/your/<intermediate-and-ecdsa-certificate>.pem
TLSKeyFile = /path/to/your/<private-ecdsa-key>.pem
In zabbix server
Have a certificate (for instance a site ECDSA HTTPS certificate) and add in server config and then restart the zabbix server.
# OS CA list for certificate chain validation
TLSCAFile = /etc/pki/tls/certs/ca-bundle.crt
# Zabbix SERVER certificate/chain and private key
TLSCertFile = /path/to/your/<intermediate-and-ecdsa-certificate>.pem
TLSKeyFile = /path/to/your/<private-ecdsa-key>.pem
Result:
ECDSA certificates/private keys don't work.
Expected:
Using ECDSA certificates/private keys with no issues.
Additional comments:
The problem seams to be the ECDHE cipher suites area is hardcoded only allowing RSA keys (for certificates mode) and then PSK
#define ZBX_CIPHERS_CERT_ECDHE "EECDH+aRSA+AES128:"
Here: https://github.com/zabbix/zabbix/blob/master/src/libs/zbxcrypto/tls.c#L3241-L3242
Maybe by just changing from
#define ZBX_CIPHERS_CERT_ECDHE "EECDH+aRSA+AES128:"
to
#define ZBX_CIPHERS_CERT_ECDHE "EECDH+aECDSA+AES128:EECDH+aRSA+AES128:"
