Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-6816

Check PSKs for duplicates on every configuration cache synchronization

XMLWordPrintable

    • Icon: Change Request Change Request
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • None
    • Agent (G), Proxy (P), Server (S)
    • Oracle Linux 8.4
      Zabbix Server/Agent 5.4.1

      Create two hosts with the same PSK and different keys. This will produce error like:

      "conflicting PSK values for PSK identity"
      

      Key can be created like:

      openssl rand -hex 64
      

      Add auto-registration rule with the same PSK, on the agent side get:

      started to fail (TCP successful, cannot establish TLS to [[10.211.55.2]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/record/rec_layer_s3.c line 1543: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter: SSL alert number 47: TLS read fatal alert "illegal parameter")
      

      Add another host with the same PSK and Connect to: PSK, Connect from: NoEnc, PSK.

      Restart Agent multiple time or wait for autoregistration process.

      Get hosts registered. Next restart will fail with the already mentioned message.

      Second inconsistency: enable both autoregistration with no enc and PSK enc;

      Host will be registered even if PSK identity has duplicates. But host will be added with PSK only encryption.

      Some installations has another error on the same issue with duplicate PSK identity:

       16867:20210604:123345.523 host PSK and autoregistration PSK have the same identity "Zabbix" but different PSK values, autoregistration will not be allowed
       16867:20210604:123345.527 autoregistration from "1.2.3.4" denied (host:"host_name" ip:"1.2.3.4" port:10050): connection used PSK which is not configured for autoregistration
      
      

      Expected:
      It look likes PSK keys are used in a round-robin way, before auto-registration denied.
      Also message: "connection used PSK which is not configured for auto-registration" - has no useful meaning, description - should be documented in a known issues.

            Unassigned Unassigned
            edgar.akhmetshin Edgar Akhmetshin
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: