image-2020-07-07-12-09-10-511.png
Team I
[ZBX-18005] Ubuntu 18 PSK-auth fails when server allows CERT-auth for other hosts Created: 2020 Jul 02 Updated: 2024 Apr 10 Resolved: 2020 Aug 02 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Packages (C) |
| Affects Version/s: | 5.0.1 |
| Fix Version/s: | 5.2 (plan) |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | Stefan | Assignee: | Jurijs Klopovskis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
image-2020-07-07-12-09-10-511.png
|
| Team: | Team I |
| Sprint: | Sprint 66 (Jul 2020) |
| Story Points: | 0.5 |
| Description |
|
After enabling also CERT-auth on server, Ubuntu 18 clients fail to do PSK authentication.
Looks like wrong TLS-handshake happens. Ubuntu 18 zabbix_agent-package is also linked with very old openssl.
|
| Comments |
| Comment by Stefan [ 2020 Jul 03 ] |
|
Can someone please raise the severity. This is is showstopper right now for us :/ |
| Comment by Kristians Pavars [ 2020 Jul 06 ] |
|
Hi siegmarb,
Could you please confirm what is your server OS and what is your agent OS? Does it work properly with Ubuntu 20.04 or 16.04 agents?
Thanks, |
| Comment by Stefan [ 2020 Jul 06 ] |
|
Hi Kristians,
you will find all informations in the provided link. Yes it works with Ubuntu 16 or 20.
Server-OS is Ubuntu18.0.4 - all latest with zabbix 5 all latest. |
| Comment by Kristians Pavars [ 2020 Jul 07 ] |
|
Confirmed on Ubuntu 18.04 - passive checks work but active checks fail. Server is Ubuntu 20 Srver log: 4478:20200707:090644.219 failed to accept an incoming connection: from 10.100.10.93: TLS handshake set result code to 1: file ../ssl/statem/statem_srvr.c line 3687: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate: TLS write fatal alert "unknown" Agent log: 16716:20200707:090644.213 SSL_shutdown() with zbx.server set result code to 1: file ../ssl/ssl_lib.c line 2072: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init 16716:20200707:090644.214 active check configuration update from [zbx.server:10051] started to fail (TLS read set result code to 1: file ../ssl/record/rec_layer_s3.c line 1528: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required: SSL alert number 116: TLS read fatal alert "unknown") On Centos 7, Ubuntu 20 agent works as expected
|
| Comment by Stefan [ 2020 Jul 07 ] |
|
Can you please raise the severity? It's blocker and not trivial. |
| Comment by Jurijs Klopovskis [ 2020 Jul 07 ] |
|
Fixed in pre 5.0.2. Please wait for 5.0.2 release. |
| Comment by Stefan [ 2020 Jul 08 ] |
|
Is this fixed in the server component of zabbix or the client component? Do we have to update the server or the client? Thank you for your quick fix. |
| Comment by Jurijs Klopovskis [ 2020 Jul 08 ] |
|
Zabbix release 5.0.2 will be built with OpenSSL 1.1.1 . Hopefully that will resolve the issue. We still have to wait till 5.0.2 comes out. Stay tuned for the update. |
| Comment by Stefan [ 2020 Jul 08 ] |
|
But do we to update the zabbix-server or the problematic zabbix-clients to 5.0.2? |
| Comment by Jurijs Klopovskis [ 2020 Jul 08 ] |
|
Update whatever you had on Ubuntu 1804. I presume that's zabbix-agent in your case. |
| Comment by Stefan [ 2020 Jul 08 ] |
|
Can you also please re-build for 4.0-release as this is still LTS? |
| Comment by Jurijs Klopovskis [ 2020 Jul 08 ] |
|
All new builds on Ubuntu 1804 will be with OpenSSL 1.1.1, this includes the next 4.0.23 release. |
