[ZBX-11803] Make Zabbix work without PSK Created: 2017 Feb 12  Updated: 2019 Apr 15  Resolved: 2019 Apr 15

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 3.2.3
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: Bernard Spil Assignee: Unassigned
Resolution: Duplicate Votes: 1
Labels: patch
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

FreeBSD 11.0-p7 / LibreSSL

Attachments: File patch-Zabbix-3.2.3-server-OPENSSL_NO_PSK     File patch-src_libs_zbxcrypto_tls.c    
Issue Links:
Duplicate
is duplicated by ZBX-15552 Compilation failed on OpenBSD 6.3 wit... Closed

 Description   

Zabbix does not support building without PSK (Pre-Shared Key) capability.
LibreSSL has removed PSK, this makes Zabbix fail to build.

I've patched the 3.2.3 sources to build without PSK using the `OPENSSL_NO_PSK` standard define from `openssl/opensslconf.h`

 Comments   
Comment by Glebs Ivanovskis (Inactive) [ 2017 Feb 17 ]

LibreSSL website says that their libssl is backward-compatible with OpenSSL. So theoretically you should be able to build Zabbix with LibreSSL without any modifications. What is the problem then?

Comment by Sebastian YEPES [ 2017 Sep 17 ]

The problem is not the compatibility it's just that the LibreSSL lib is named different and when the build process make reference to -lopenssl this does not exist.

Comment by Glebs Ivanovskis (Inactive) [ 2017 Sep 25 ]

Dear syepes, you are not entirely correct. While LibreSSL provides new library and new "better" API they also position themselves as a drop-in replacement for OpenSSL and therefore support old API and provide good old libcrypto and libssl. From their website:

LibreSSL releases contain several parts:

  • libcrypto: a library of cryptography fundamentals
  • libssl: a TLS library, backwards-compatible with OpenSSL
  • libtls: a new TLS library, designed to make it easier to write foolproof applications
  • Various utilities such as openssl(1), nc(1), and ocspcheck(1).
Comment by Sebastian YEPES [ 2017 Oct 03 ]

@Glebs Ivanovskis, well on paper more or less yes, but in practice it does not compile on environments like alpine were LibreSSL is now the default lib.
I have found other issues open for the same problem, it would be cool to at least have the option of compiling without SSL until this is resolved.
ZBX-12210

Comment by Glebs Ivanovskis (Inactive) [ 2017 Oct 03 ]

You mean compiling Zabbix without SSL? It is possible.

Comment by Sebastian YEPES [ 2017 Oct 03 ]

Yes as a workaround, for not being able to compile Zabbix on alpine +3.5 it would be nice to disable all the SSL stuff on compilation

Comment by Bernard Spil [ 2018 Apr 28 ]

The same problem exists when OpenSSL is built without PSK support

./Configure no-psk

Attached a new patch that disables PSK support in 3.4.
I understand this is not how Zabbix operates by default, but there are people that have no issue with (automatically) deploying keys/certs for authentication.

PS. I am the maintainer of OpenSSL and LibreSSL ports on FreeBSD

Comment by Andris Mednis [ 2019 Apr 15 ]

I propose to close this ticket. It has been solved in ZBX-15552 and released in updates to supported versions: 3.0.26, 4.0.6, 4.2.0.

Now Zabbix can use LibreSSL as OpenSSL replacement or OpenSSL compiled without PSK support.

You can reopen it if it is not solved.

Generated at Fri Apr 26 21:45:42 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.