[ZBX-14600] [PSK] Unable to send data via zabbix_sender for other encrypted hosts Created: 2018 Jul 12  Updated: 2018 Aug 06  Resolved: 2018 Aug 06

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 3.4.11
Fix Version/s: None

Type: Incident report Priority: Major
Reporter: Dmitry Verkhoturov Assignee: Unassigned
Resolution: Won't fix Votes: 0
Labels: encryption, zabbix_sender, zabbix_server
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I have host A and B, and Zabbix server Z, everything version 3.4.11. Host B have item trapper_item_key with type Zabbix Trapper, Allowed hosts might be set to Z or stay unset, it doesn't affect anything at all. Scenarios:

  1. Not encrypted connection between A and Z, B and Z. 
      A$ zabbix_sender -k trapper_item_key -o 0 -s B -z Z
  A$ zabbix_sender -k trapper_item_key -o 0 -s B -c /etc/zabbix/zabbix_agentd.conf
  ### Expected:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  ### Actual:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  1. Encrypted connection (PSK) between A and Z, not encrypted connection between B and Z. 
      A$ zabbix_sender -k trapper_item_key -o 0 -s B -z Z
  ### Encryption is not used for this connection due to only -z option passed.
  ### Expected:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  ### Actual:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  A$ zabbix_sender -k trapper_item_key -o 0 -s B -c /etc/zabbix/zabbix_agentd.conf
  ### Encryption is is used because it's settings in configuration, PSK settings for host A
  ### Expected:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  ### Actual:
  # info from server: "processed: 0; failed: 1; total: 1; seconds spent: 0.000018"
  1. Encrypted connection (PSK) between A and Z, B and Z, keypairs for A and B are different 
      A$ zabbix_sender -k trapper_item_key -o 0 -s B -z Z
  ### Encryption is not used for this connection due to only -z option passed.
  ### Expected:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  ### Actual:
  # info from server: "processed: 0; failed: 1; total: 1; seconds spent: 0.000018"
  A$ zabbix_sender -k trapper_item_key -o 0 -s B -c /etc/zabbix/zabbix_agentd.conf
  ### Encryption is is used because it's settings in configuration, PSK settings for host A
  ### Expected:
  # info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000018"
  ### Actual:
  # info from server: "processed: 0; failed: 1; total: 1; seconds spent: 0.000018"

All scenarios with processed: 0 items are actual problems. It seems to me what Zabbix Server incorrectly checking PSK for trapper items on host with enabled PSK encryption when data coming from some other host without encryption or with other PSK key.

 Comments   
Comment by Glebs Ivanovskis [ 2018 Jul 13 ]

Are you using same PSK value with different PKS identities on hosts A and B?

Comment by Dmitry Verkhoturov [ 2018 Jul 14 ]

Different PSK with different values. Both hosts can send data for themselves with enabled encryption.

Problem is PSK check is made in situations where it should not.

Comment by Glebs Ivanovskis [ 2018 Jul 14 ]

Please correct me if I'm wrong. Here is your configuration:

Host A B
Connection to host PSK PSK
PSK identity A B
PSK aa...a bb...b

You are sending values for host B from host A using PSK identity and PSK of host A. And Zabbix server rejects them, right?

Comment by Dmitry Verkhoturov [ 2018 Jul 14 ]

Yes, that's correct. Gleb, are you back?

Comment by Glebs Ivanovskis [ 2018 Jul 17 ]

Sort of. There is a slight difference between glebs.ivanovskis and me – I am a regular community member just like you.

Even though Zabbix server can decipher values for host B using credentials of host A does not mean that it should process them as if it is a normal situation. While it may work when both A and B are monitored by server directly, this will inevitably break when A and B will be moved to different proxies. Such "accidental" breakage with no visible reason would produce a really bad user experience.

Comment by Dmitry Verkhoturov [ 2018 Jul 18 ]

Sounds reasonable, if that's company position as well - I think it could be closed as "Won't fix".

Generated at Fri Apr 26 14:17:12 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.