-
Change Request
-
Resolution: Unresolved
-
Medium
-
None
-
7.0.0alpha3
-
1
During the work on the issue ZBX-22060 it was noticed that behaviour of TLS parameters in the PostgreSQL plugin differs from the parameters providing the same functionality that are used by the psql command line client.
Another related issue: ZBX-23217
The following parameters behaviour should be checked and rethinked:
1. TLSConnect:
- There are 3 other encryption modes: prefer (default mode), allow, disable. Maybe there is no point to add allow and disable modes, but prefer should probably be available.
- If it the parameter is not specified, it should default to prefer (in that case if we will specify hostssl in the pg_hba.conf file on the server to require encryption from the client, it will use it automatically and we won't need to specify TLSConnect at all).
- Value required should probably be renamed to require, as this value is used in the parameter with the same functionality in psql client and in ODBC driver.
- Values verify_ca and verify_full should probably be renamed to verify-ca and verify-full accordingly, to avoid confusion and since these values are also used in psql client and in ODBC driver.
2. TLSCAFile:
- Value should default to ~/.postgresql/root.crt (means, if agent is running under user zabbix it will effectively be /var/lib/zabbix/.postgresql/root.crt, if under root - /root/.postgresql/root.crt, etc. - check the sslrootcert parameter in the documentation).
- If root.crt is present in the default location (or specified with TLSCAFile, TLSConnect=require should act as TLSConnect=verify-ca, it is mentioned in the documentation.
3. TLSCertFile:
- Value should default to ~/.postgresql/postgresql.crt (check the note about CA certificate above).
- This parameter should be ignored if an SSL connection is not made (check the
sslcert parameter description).
4. TLSKeyFile:
- Value should default to ~/.postgresql/postgresql.key (check the note about CA certificate above).
- This parameter should be ignored if an SSL connection is not made (check the
sslkey parameter description).
Consult the PostgreSQL documentation about encryption modes and options in libpq and certificates usage:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION