[ZBX-11761] PSK error should report attempted+supported keys Created: 2017 Jan 31  Updated: 2019 Jan 28  Resolved: 2019 Jan 28

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G), Server (S)
Affects Version/s: None
Fix Version/s: 3.0.25rc1, 4.0.4rc1, 4.2.0alpha3, 4.2 (plan)

Type: Problem report Priority: Trivial
Reporter: Josh Soref Assignee: Andrejs Kozlovs
Resolution: Fixed Votes: 1
Labels: usability
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Team: Team A
Sprint: Sprint 47, Dec 2018, Sprint 48, Jan 2019
Story Points: 0.5

 Description   

I have configured a bunch of zabbix agents, I work from a template, and once in a while I mess up the template, specifically I ended up with:

TLSPSKIdentity=PSK 036# to match PSK identity below

instead of:

TLSPSKIdentity=PSK 036

Agent passive error:

24945:20170130:172308.495 failed to accept an incoming connection: from REMOTEIP: TLS handshake returned error code 1: file s3_srvr.c line 2764: error:1408B0DF:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:psk identity not found: TLS write fatal alert "unknown PSK identity"

Agent active error:

24946:20170130:171002.125 active check configuration update from [REMOTEHOST:10051] started to fail (TCP successful, cannot establish TLS to [[REMOTEHOST]:10051]: SSL_connect() returned SSL_ERROR_SSL: file s3_pkt.c line 1259: error:1409445B:SSL routines:SSL3_READ_BYTES:reason(1115): SSL alert number 115: TLS read fatal alert "unknown PSK identity")

Server passive error:

32399:20170130:193807.212 failed to accept an incoming connection: from REMOTEIP: TLS handshake returned error code 1: file s3_srvr.c line 2803: error:1408B0DF:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:psk identity not found: TLS write fatal alert "unknown PSK identity"

Server active reporting:

32396:20170130:191005.393 temporarily disabling Zabbix agent checks on host "HOSTNAME": host unavailable

I'm pretty sure that with some effort zabbix can report the name of the PSK being provided and the name of the PSK that's supported.

Doing that would vastly improve the UX for this.

Also, I don't see why the Server-active case doesn't ever log the PSK failing specifically, the lack of symmetry seems odd.



 Comments   
Comment by Glebs Ivanovskis (Inactive) [ 2017 Feb 07 ]

The error which is missing in the log file must be present in the frontend next to failed item in Configuration -> Hosts.

Comment by Josh Soref [ 2017 Feb 07 ]

I'm pretty sure it is. But it's pretty odd that 1/4 is only available in that other location.

And please note, that's more of an aside, it isn't the key point of the ticket (I don't even need help sorting out my PSKs, they're fixed).

Comment by Andrejs Kozlovs [ 2019 Jan 22 ]

Fixed in:

  • pre-3.0.25rc1 r88643
  • pre-4.0.4rc1 r88644
  • pre-4.2.0alpha3 (trunk) r88646
Generated at Thu Mar 28 15:42:09 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.