[ZBX-14343] The default locations of SSL certs and keys can be read via zabbix-web Created: 2018 May 10 Updated: 2020 Jan 19 |
|
| Status: | Reopened |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Packages (C) |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | Kento Takahashi | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Sprint: | Sprint 34, Sprint 35, Sprint 36, Sprint 37, Sprint 38, Sprint 39, Sprint 40, Sprint 41, Sprint 42, Sprint 43, Sprint 44, Sprint 45, Sprint 46, Nov 2018, Sprint 47, Dec 2018 |
| Story Points: | 0.5 |
| Description |
|
When I install zabbix-server and zabbix-web packages on the same host, I can get SSL certs and keys via web frontend. In zabbix-server-4.0.0alpha6 package, `zabbix_server --help` shows the default locations as below. Some configuration parameter default locations: AlertScriptsPath "/usr/share/zabbix/alertscripts" ExternalScripts "/usr/share/zabbix/externalscripts" SSLCertLocation "/usr/share/zabbix/ssl/certs" SSLKeyLocation "/usr/share/zabbix/ssl/keys" LoadModulePath "/usr/lib64/zabbix/modules" The first 4 locations are in /usr/share/zabbix and exposed by zabbix-web. So I can read the files via URL like http://zabbix.example.com/zabbix/ssl/keys/secret.key. I know I can configure the locations by zabbix_server.conf, but it is safer to set the default values outside /usr/share/zabbix so that they are not exposed unintentionally. The default location of SSLCertLocation should be changed to something like "/etc/zabbix/ssl/certs", and so do the others. |
| Comments |
| Comment by Marc [ 2018 May 11 ] | ||||||||||||||||||
|
How about storing it in the usual PKI directory of the respective distributions (e.g. /etc/pki/tls/private/, /etc/ssl/private, /etc/apache2/ssl/private, ...)? | ||||||||||||||||||
| Comment by Kento Takahashi [ 2018 May 14 ] | ||||||||||||||||||
|
Sounds good to me.
| ||||||||||||||||||
| Comment by richlv [ 2018 May 30 ] | ||||||||||||||||||
|
That would probably mean support in "configure" for various distros/locations, right? | ||||||||||||||||||
| Comment by dimir [ 2018 Sep 12 ] | ||||||||||||||||||
|
Since it's the packages that install frontend to /usr/share/zabbix and leave defaults for SSL paths, suggestion is to apply changes to packages only. The following configuration parameters of server/proxy config files are affected:
The AlectScriptsPath and ExternalScripts are already set to /usr/lib/zabbix in packages. The changes only affect new installations, existing ones won't be affected. | ||||||||||||||||||
| Comment by dimir [ 2018 Sep 21 ] | ||||||||||||||||||
|
It seems this solution will not be complete. It might get bit confusing when packaged version still uses the real default with --help: $ zabbix_server --help ... SSLCertLocation "/usr/share/zabbix/ssl/certs" SSLKeyLocation "/usr/share/zabbix/ssl/keys" ... Also, current auto-tools setup looks really suspicious. During configure we actually declare variables CURL_SSL_<CERT|KEY>LOCATION only to use them for assigning to DEFAULT_SSL<CERT|KEY>_LOCATION: $ grep CURL_SSL_KEY_LOCATION * -r
configure.ac:CURL_SSL_KEY_LOCATION="${datadir}/zabbix/ssl/keys"
configure.ac:AC_SUBST(CURL_SSL_KEY_LOCATION)
configure.ac:CURL_SSL_KEY_LOCATION=`eval echo "${CURL_SSL_KEY_LOCATION}"`
configure.ac:CURL_SSL_KEY_LOCATION=`eval echo "${CURL_SSL_KEY_LOCATION}"`
configure.ac: SSL keys: ${CURL_SSL_KEY_LOCATION}"
configure.ac: SSL keys: ${CURL_SSL_KEY_LOCATION}"
src/zabbix_server/Makefile.am: -DDEFAULT_SSL_KEY_LOCATION="\"@CURL_SSL_KEY_LOCATION@\"" \
src/zabbix_proxy/Makefile.am: -DDEFAULT_SSL_KEY_LOCATION="\"@CURL_SSL_KEY_LOCATION@\"" \
I think we should rather add at least those 2 options to configure to be able to specify certs/keys for encryption, as richlv suggested:
Also, we should do something with those autoconf CURL* variables. I wonder why they are pointing to hard-coded path /usr/share/zabbix/ssl? And they aren't used anywhere in the code. I guess these were meant for default CURLOPT_CAPATH but it actually uses "SSLCALocation" configuration option, if it's set. |