[ZBX-21714] Zabbix 6.0.x PSK - no suitable signature algorithm Created: 2022 Sep 30 Updated: 2022 Oct 14 Resolved: 2022 Oct 14 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent (G), Server (S) |
| Affects Version/s: | 6.0.8, 6.0.9 |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | Cezary | Assignee: | Igor Gorbach (Inactive) |
| Resolution: | Commercial support required | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Ubuntu 22.04 (openssl 3.0.2), Ubuntu 20.04 (openssl 1.1.1f), Debian 10 (1.1.1n) |
||
| Description |
|
Steps to reproduce: 1. Fresh installation of zabbix-server-mysql 6.0.9 from zabbix repository via apt, also with fresh database from template. I tried them all with different combinations:
root@Debian10:/var/log/zabbix# zabbix_server -V zabbix_server (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1d 10 Sep 2019 Running with OpenSSL 1.1.1n 15 Mar 2022
root@Ubuntu22:/usr/share/zabbix# zabbix_server -V zabbix_server (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 3.0.2 15 Mar 2022 Running with OpenSSL 3.0.2 15 Mar 2022 root@Ubuntu20:/var/log/zabbix# zabbix_agentd -V zabbix_agentd (daemon) (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 1.1.1f 31 Mar 2020 Running with OpenSSL 1.1.1f 31 Mar 2020
root@Ubuntu22:# zabbix_agentd -V zabbix_agentd (daemon) (Zabbix) 6.0.9 Revision 64721203c07 21 September 2022, compilation time: Sep 21 2022 09:09:36Copyright (C) 2022 Zabbix SIA License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).Compiled with OpenSSL 3.0.2 15 Mar 2022 Running with OpenSSL 3.0.2 15 Mar 2022
2. Add single host to server and setup PSK encryption on it
TLSAccept=psk TLSPSKIdentity=zabbix TLSPSKFile=/etc/zabbix/psk PSK generated via command: openssl rand -hex 32
Result: 3234:20220930:121836.127 interfaceid:1 hostid:10084 ip:'127.0.0.1' dns:'' port:'10050' type:1 main:1 useip:1 available:1 errors_from:0 disable_until:0 error:'' availability_ts:1664533055 reset_availability:0 items_num 60interfaceid:12 hostid:10529 ip:'10.10.10.10' dns:'' port:'10050' type:1 main:1 useip:1 available:2 errors_from:1664529873 disable_until:1664533144 error:'Get value from agent failed: TCP successful, cannot establish TLS to [[10.10.10.10]:10050]: SSL_connect() I/O error: [0] Success' availability_ts:1664533055 reset_availability:0 items_num 14 3434:20220930:121904.106 In get_value_agent() host:'nexus.domain.com' addr:'10.10.10.10' key:'system.uptime' conn:'TLS with PSK' 3434:20220930:121904.108 Item [nexus.domain.com:system.uptime] error: Get value from agent failed: TCP successful, cannot establish TLS to [[10.10.10.10]:10050]: SSL_connect() I/O error: [0] Success Client:
91290:20220930:120704.535 failed to accept an incoming connection: from 10.10.10.10: TLS handshake set result code to 1: file ../ssl/t1_lib.c line 2750: error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm: TLS write fatal alert "handshake failure"
91292:20220930:120704.535 failed to accept an incoming connection: from 10.10.10.10: unencrypted connections are not allowed
Expected:
If you need any additional debuging data or something please let me know. |
| Comments |
| Comment by Igor Gorbach (Inactive) [ 2022 Oct 14 ] |
|
Cannot reproduce on Ubuntu 20.04 Tried with openssl 1.1.1f,q - and the same psk settings - no issues Looks like as misconfiguration, but we cannot help here, because ZBX project is a bug tracker In this case - commercial support required You're also able to get some help in |