[ZBX-9879] https monitoring breaks when TLS V1.0 protocol disallowed Created: 2015 Sep 16 Updated: 2022 Jul 25 Resolved: 2022 May 24 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G), Proxy (P), Server (S) |
Affects Version/s: | 2.4.4 |
Fix Version/s: | None |
Type: | Problem report | Priority: | Trivial |
Reporter: | K. M. Peterson | Assignee: | Zabbix Development Team |
Resolution: | Won't fix | Votes: | 23 |
Labels: | curl, https, tls, webmonitoring | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Centos 7 |
Attachments: | curl-7.19.7-46-nss_ssl_default_range_fix.patch server.py zabbix-2.0.16-add-tlsv1.x-option.patch zabbix-2.0.16-force-tlsv1.x.patch | ||||
Issue Links: |
|
Description |
Agent checks for net.tcp.service[https...] as well as web scenarios broke when target server was reconfigured to disallow TLS V1.0 protocol (forcing TLS 1.1, 1.2). Web scenario reports error message "SSL connect error: Encountered end of file". Underlying issue with curl (shell command) attempting to connect to same URL generates "NSS error -5938 (PR_END_OF_FILE_ERROR)" and error 35, but forcing protocol with '--tlsv1.1' option does connect happily. However, no way to do this in UI, and it's not clear why current implementation won't negotiate >= 1.1 since it's capable. |
Comments |
Comment by Aleksandrs Saveljevs [ 2015 Sep 16 ] |
http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html might or might not help with this. |
Comment by Aleksandrs Saveljevs [ 2015 Sep 16 ] |
https://bugzilla.redhat.com/show_bug.cgi?id=1170339 is a somewhat related discussion. |
Comment by Arli [ 2015 Oct 29 ] |
Setting CURL_SSLVERSION_TLSv1 or CURL_SSLVERSION_TLSv1_1 does help. |
Comment by dimir [ 2015 Oct 30 ] |
Currently we are not setting any version, so we use the default, which is "attempt to figure out the remote SSL protocol version". I guess we need to add a radio button so that a user can select the SSL/TLS version to use. But this looks like a feature request, not a bug. |
Comment by Marc [ 2015 Nov 05 ] |
As I assume this is unlikely to be addressed soon but more and more sites are disabling TLS 1.0 and below, I suggest to add an appropriate information to the documentation stating that Web scenarios using the https protocol may not be possible at least on EL5 and EL6 due to limitations of libcurl. |
Comment by dimir [ 2015 Nov 05 ] |
That's definitely a good point. |
Comment by Martins Valkovskis [ 2015 Nov 06 ] |
Added to known issues in documentation. Linked to from the web monitoring page. |
Comment by dimir [ 2015 Nov 06 ] |
1). "Known issues" could also mention agent checks. The section could be something like this: === HTTPS checks === Web scenarios using https protocol and agent checks net.tcp.service[https...] and net.tcp.service.perf[https...] may fail if the target server is configured to disallow TLS v1.0 protocol or below. Please see ... for more information and available workarounds. 2). In that case the link on web monitoring page could be changed to "See also known issues for web monitoring using https protocol.". 3). Also 2 links to "known issues" could be added to agent items page where net.tcp.service and net.tcp.service.perf are described. martins-v Thanks for the suggestions. Updated sections: known issues and web monitoring. Linked from the agent item page as well. <dimir> Thanks! Made a small change on the agent page: See also known issues martins-v Thanks, looking good to me. |
Comment by dimir [ 2015 Nov 06 ] |
Looks like documentation part is in place now we just need to fix it. |
Comment by Fernando [ 2015 Dec 09 ] |
Hi, we have deployed cURL 7.45 on a custom location and compiled zabbix server against that library but we are still facing the problem. Is that expected? Zabbix 2.4 |
Comment by dimir [ 2015 Dec 14 ] |
The issue is still not resolved. |
Comment by Dan Goscomb [ 2015 Dec 16 ] |
This is critical for us. We are not able to allow TLS1.0 due to PCI-DSS regulations, and are now unable to monitor some of our applications. |
Comment by John Ko [ 2016 Feb 17 ] |
Is there an ETA for a fix? Our web scenarios broke after implementing TLSv1.2. |
Comment by Jinesh Choksi [ 2016 Feb 22 ] |
Greetings. With the recent release of Zabbix v3.0, is the issue documented in this JIRA now resolved? |
Comment by John Ko [ 2016 Feb 22 ] |
Hi Jinesh, we tested on the latest 3.0 beta and the issue is still occurring. -Thanks |
Comment by MATSUDA Daiki [ 2016 Mar 17 ] |
This problem has 2 causes. 2. libcurl may not support TLS v1.1 and TLS v1.2. In previous RHEL 6.x libcurl does not support TLS v1.1 and TLS v1.2 and since 7.19.7-43 starts to support. In the bottom, I attached 2 patches. 2. It accepts new format for url column, such as tlsv1@https://... This is compatible for current Zabbix server implementation. |
Comment by MATSUDA Daiki [ 2016 Apr 18 ] |
In my research, this is the bug that RHEL's implementation is not enough for cURL package. In latest cURL(7.48.0), this is already fixed. In addition, SSLv2 and SSLv3 are not used and only TLS v1.x are used in default. |
Comment by Kodai Terashima [ 2016 May 26 ] |
This problem was fixed by RedHat on RHEL 6.8, upgrading libcurl library solve this issue. |
Comment by Pradeep Patil [ 2016 Dec 19 ] |
Am not seeing this fixed with Zabbix 3.0 and 3.2 on RHEL7, libcurl 7.51, openSSL 1.0.1e. My web monitoring still fails. |
Comment by Kim Jongkwon [ 2017 Apr 28 ] |
If this problem can not be resolved when after curl update. You should also update - curl dependency packages. (Especially nss, nss-util, nspr ...) |
Comment by Andrejs Tumilovics [ 2020 Feb 07 ] |
Just checked on CentOS 7: Compiled Zabbix agent: ./configure --enable-agent --with-libcurl --with-openssl ... checking for the version of libcurl... 7.29.0 ... make install Checked net.tcp.service and Web scenarios on server with disabled TLSv1 server.py and everything is working fine. |
Comment by Alex Kalimulin [ 2021 Dec 02 ] |
Is this still a thing or can be closed? |