image-2022-02-25-11-37-14-094.png
[ZBX-20677] Agent 2 web.certificate.get for windows doesn't require cert chain for the verification Created: 2022 Feb 25 Updated: 2022 Mar 01 |
|
| Status: | Confirmed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent2 plugin (G) |
| Affects Version/s: | 6.0.0 |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | IMBI | Assignee: | Zabbix Development Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Zabbix Agent 2 6.0.0 on Debian 10 |
||
| Attachments: |
image-2022-02-25-11-37-14-094.png
|
| Description |
|
The Agent 2 6.0.0 on Debian 10 returns a wrong validation result for one of our systems with very similar certificates:
Steps to reproduce: # zabbix_get -s 127.0.0.1 -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1 Result: 6.0/not working {"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"{color:#FF0000}CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE{color}","not_before":\{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":\{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN={color:#FF0000}intranet.imbi.uni-heidelberg.de{color},OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"invalid","message":"{color:#FF0000}failed to verify certificate: x509: certificate signed by unknown{color} authority"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"}
Expected: Result of the certificate in question from an Agent 2 5.4.10 on Windows: 5.4/working zabbix_get -s 129.206.*.* -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K2" --tls-psk-file k2
{"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"{color:#FF0000}CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE{color}","not_before":\{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":\{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN={color:#FF0000}intranet.imbi.uni-heidelberg.de{color},OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"{color:#FF0000}certificate verified successfully{color}"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"}
Or result of a certificate from the same issuer: 6.0/working/another certificate zabbix_get -s 127.0.0.1 -k web.certificate.get["box.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1
{"x509":\{"version":3,"serial_number":"2584d2443c7454a7c5e2a2fb","signature_algorithm":"SHA256-RSA","issuer":"CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE","not_before":{"value":"Oct 12 09:26:20 2021 GMT","timestamp":1634030780},"not_after":\{"value":"Nov 12 09:26:20 2022 GMT","timestamp":1668245180},"subject":"{color:#FF0000}CN=box.imbi.uni-heidelberg.de,OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE{color}","public_key_algorithm":"RSA","alternative_names":["box.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"{color:#FF0000}certificate verified successfully{color}"},"sha1_fingerprint":"fdeb66d92a8cd0d54227f58a16165d73debe0a91","sha256_fingerprint":"5101c4c20d92b69d8d0817c62d99c5c0344830d6f6a9b45787511660420e2182"}
|
| Comments |
| Comment by Edgar Akhmetshin [ 2022 Feb 28 ] |
|
Hello It would be helpful to get output from: openssl s_client -showcerts -connect intranet.imbi.uni-heidelberg.de:443 openssl s_client -showcerts -connect box.imbi.uni-heidelberg.de:443 and also debug level 5 log from Agent 2 for 6.0.0. Regards, |
| Comment by IMBI [ 2022 Feb 28 ] |
|
Dear Edgar,
thank you very much for your answer. Your intuition was right that openssl also could not verify the certificate: root@monitor:~# openssl s_client -showcerts -connect intranet.imbi.uni-heidelberg.de:443 CONNECTED(00000003) depth=0 C = DE, ST = Baden-Wuerttemberg, L = Heidelberg, O = Ruprecht-Karls-Universitaet Heidelberg, OU = Institut fuer Medizinische Biometrie, CN = intranet.imbi.uni-heidelberg.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, ST = Baden-Wuerttemberg, L = Heidelberg, O = Ruprecht-Karls-Universitaet Heidelberg, OU = Institut fuer Medizinische Biometrie, CN = intranet.imbi.uni-heidelberg.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:C = DE, ST = Baden-Wuerttemberg, L = Heidelberg, O = Ruprecht-Karls-Universitaet Heidelberg, OU = Institut fuer Medizinische Biometrie, CN = intranet.imbi.uni-heidelberg.de i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA -----BEGIN CERTIFICATE----- MIIJQDCCCCigAwIBAgIMJQKHLG3kA3VC8H/4MA0GCSqGSIb3DQEBCwUAMIGNMQsw CQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVz IERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4t UEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTIx MDcwNTEzMzExMFoXDTIyMDgwNTEzMzExMFowgckxCzAJBgNVBAYTAkRFMRswGQYD VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxEzARBgNVBAcMCkhlaWRlbGJlcmcxLzAt BgNVBAoMJlJ1cHJlY2h0LUthcmxzLVVuaXZlcnNpdGFldCBIZWlkZWxiZXJnMS0w KwYDVQQLDCRJbnN0aXR1dCBmdWVyIE1lZGl6aW5pc2NoZSBCaW9tZXRyaWUxKDAm BgNVBAMMH2ludHJhbmV0LmltYmkudW5pLWhlaWRlbGJlcmcuZGUwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQDC1fTplUFgW1XkxGxxiDT4qANS/obCx5Bb WyoCf/WSwUKmAIf68Ti21Xmu7Uyt9lhyuQDN5B28aj+GSH0fCcJk15teUFNlOFUc hdAGZqP6KXF08kjHMniYncItvSDK1dlzn/q4OiF7r7sEijOq/O17qOVn7C1z0nHI hDKBr8AP3w9/IHqNw4Vip9mKIp8ErvPSMCSYMFSwfq0vYn9c32cgHs04AAZbUE31 d843HQDea9EEn3IrlnZgfuS+k1TgeFyKY58mcdsjpVHrxYO56qPjY9rpbrFutmpY txqcweEhGo8ic5tPIwHtukC0AMIYQ+ypH8yfZkM90h0AVlb9z9omfF6fGBkrSpmf h/L2XmplJc1AuXEy7gAo58cMWCSWL0x1zMgOpvmt9+anev3v/o79WHvP9ZRFVvSa ZOVf9R4zGXutnjm6c6i0U/Nzl7YTOxkNVRaUfS668H2HxmrxP5YuLQtZktQhSu6W wmTl3smLF/fGZ1Wgq6Zb7tlMdyzaCMAU59oioyJBVc/80Eg0ikRHhIdoHiMEQdB/ SgcuTr0OA7XDGtUyC0NMZOzWrcXMRF/N5vgc8TqNkLVt7wzKGnmi6sXrDiDt9xKc VRoZPKHnm5QcC27dCuGUJqv89nrFC5YdUewWxkv9m80WAtg0/6y7hwFxtiv7bqMR NuS2QqQxZQIDAQABo4IEYDCCBFwwVwYDVR0gBFAwTjAIBgZngQwBAgIwDQYLKwYB BAGBrSGCLB4wDwYNKwYBBAGBrSGCLAEBBDAQBg4rBgEEAYGtIYIsAQEECTAQBg4r BgEEAYGtIYIsAgEECTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE DDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUUyIrFW1U9zSj3pVRoGRzoXDITjcwHwYD VR0jBBgwFoAUazqYi/nyU4na4K2yMh4JH+iqO3QwKgYDVR0RBCMwIYIfaW50cmFu ZXQuaW1iaS51bmktaGVpZGVsYmVyZy5kZTCBjQYDVR0fBIGFMIGCMD+gPaA7hjlo dHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NybC9j YWNybC5jcmwwP6A9oDuGOWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLWNhLWds b2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDCB2wYIKwYBBQUHAQEEgc4wgcswMwYI KwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NT UDBJBggrBgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tY2EtZ2xv YmFsLWcyL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggrBgEFBQcwAoY9aHR0cDov L2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jYWNlcnQvY2Fj ZXJ0LmNydDCCAfUGCisGAQQB1nkCBAIEggHlBIIB4QHfAHYARqVV63X6kSAwtaKJ afTzfREsQXS+/Um4havy/HD+bUcAAAF6dt2dbgAABAMARzBFAiEA7MFkraFPdbFL A6jKBYomyENq3TBONDtmP9EFX1DOC/cCIE2yIWgLXfgHgvW38/eEXSoEI/rPKVQl DcAByvkvAx4ZAHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF6 dt2lAgAABAMARzBFAiEA46Gi4sK2hfqQmht6TP5oCJquKSO+/ncp9EYA7A9EXicC IC0mZIq0Yc56xGUVTWkIrHZv2a52phhWTSTT0XFMv9nwAHUAb1N2rDHwMRnYmQCk URX/dxUcEdkCwQApBo2yCJo32RMAAAF6dt2dqwAABAMARjBEAiAb7fWnEXvKz3Jl 6eGytnw5DdnuBwo2hNqQv8NyEvERRAIgRdjIRz+PDbrmPGZMt2LqlyD2d5rXMkBV xCUBZK5QeucAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAXp2 3Z68AAAEAwBHMEUCIQCrWJ0UU3UKl/mKZTh8pYUkwfWtpeqWOeFLygTFKE1vLQIg LD/Y3yIxBSD33azatyHbePDhbsP7ottTAegaA0M1tawwDQYJKoZIhvcNAQELBQAD ggEBAHxJfT+fGXLT6/1iTtFGJ1RsAjBdp7OjQKerYH8RD+2fKZayivrXZ5rhCqOY UxbozhM3ZZNoAE7XRpXJxXJqfUxcIocU0OqsQStJVLSR7W03h8Ens3qzrjNbPjWv bIVXWTLDsd8agxTJ2rMAX3CENlPh7c+IYsHGsQ8eWdA9yX0mmBDPljLOOVx+iPrl 2oCY+bVT84qF/DqOcW92Hv0hHnf9pllqxO2YRW3qhcW0D5jqitlOdpd4VrSLPuY+ SeZvLyI1Op/AsAhbJzS4vFQhoZHD3zsh/BKuatNn51yRuJ0DRv/9+hAueM3UDkdH a+fRRAUVBS+yWgedjZjg7ElQn1U= -----END CERTIFICATE----- --- Server certificate subject=C = DE, ST = Baden-Wuerttemberg, L = Heidelberg, O = Ruprecht-Karls-Universitaet Heidelberg, OU = Institut fuer Medizinische Biometrie, CN = intranet.imbi.uni-heidelberg.deissuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA--- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3350 bytes and written 449 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A2A33A6D983A29DE5A35B65C06E1900E7FAC7671A2BF3C35ABEE03B4E25C299A Session-ID-ctx: Master-Key: 8936039B5AE4E6BE5DEF3134F17032990A8F65E4466CEC79122AF08F614C6948BF4AF800AE98E0D1917699C9724CD0D5 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2b 4a 14 6a 27 8a b1 de-8f ff ad 77 36 00 9a fc +J.j'......w6... 0010 - 06 72 40 93 76 c7 60 76-f6 22 06 01 d8 2b c7 7b [email protected].`v."...+.{ 0020 - 18 a6 58 1d 29 1c 9d 82-40 39 3e 1f 8c 3f f5 43 ..X.)...@9>..?.C 0030 - 67 e5 a6 4e 3d 5f 9e f0-c5 31 37 31 6b ab 9f 3b g..N=_...171k..; 0040 - 82 c8 60 d8 e5 0c 80 c3-cb ec f7 a5 e6 2a 90 db ..`..........*.. 0050 - d3 f7 77 12 d4 62 d6 c7-fe 65 e1 d0 66 14 2e 3c ..w..b...e..f..< 0060 - 54 b3 c0 e3 8d e0 3a 78-91 bc 64 b0 2d a5 d6 af T.....:x..d.-... 0070 - 27 a2 57 3b 6d 75 68 9e-46 ad 6d ec b1 97 97 c0 '.W;muh.F.m..... 0080 - d3 9d dd 18 99 a2 23 c2-bb e4 b7 a5 e8 65 35 4d ......#......e5M 0090 - 3d f7 15 9d 61 4b 76 06-50 87 bc de eb 8f 0b 1c =...aKv.P....... 00a0 - f8 03 78 79 4b 6c e9 98-31 77 be 53 0d a7 04 d1 ..xyKl..1w.S.... 00b0 - 7a 89 7d 77 ca bd d1 f5-4d 60 97 f3 85 8a cb 6c z.}w....M`.....l 00c0 - c0 51 9b 08 0b 73 53 78-47 1e ab dc 5b 99 32 de .Q...sSxG...[.2. 00d0 - 14 63 f7 6e 2b 1e 7c 9d-f5 c1 f8 30 d8 b6 14 8b .c.n+.|....0.... Start Time: 1646040946 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- closed We had the whole chain in the cert file but Apache serving this site does not process the chain like this apparently. After moving it to a separate file and adding it to the config the verification is now sucessful from Agent 2 6.0.0 on the machine originally showing verification errors: zabbix_get -s 127.0.0.1 -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1 {"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE","not_before":{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN=intranet.imbi.uni-heidelberg.de,OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"certificate verified successfully"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"} So apparently Windows agents fetch the intermediate certificates somehow while linux agents do not. That's where the discrepancy came from. rfc5246 states that the certifiacte chain must be provided (though not as explicitly as I would wish). So the linux implementation seems to be perfectly compliant in rejecting the certificate without the chain. Question is wheter the Windows check is correct then
Thanks a lot for your effort!
|
| Comment by Edgar Akhmetshin [ 2022 Mar 01 ] |
|
Hello, Thank you for additional information, looks like we need additional investigation or RFC compliance. So confirming the issue. Regards, |
