Centos 7

http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html might or might not help with this.

https://bugzilla.redhat.com/show_bug.cgi?id=1170339 is a somewhat related discussion.

Setting CURL_SSLVERSION_TLSv1 or CURL_SSLVERSION_TLSv1_1 does help.
The issue is becoming more vital as leading browsers are forcing the use of stronger protocols by marking sites using SSLv2/SSLv3/TLSv1.0 as insecure.

Currently we are not setting any version, so we use the default, which is "attempt to figure out the remote SSL protocol version". I guess we need to add a radio button so that a user can select the SSL/TLS version to use. But this looks like a feature request, not a bug.

As I assume this is unlikely to be addressed soon but more and more sites are disabling TLS 1.0 and below, I suggest to add an appropriate information to the documentation stating that Web scenarios using the https protocol may not be possible at least on EL5 and EL6 due to limitations of libcurl.

That's definitely a good point.

Added to known issues in documentation. Linked to from the web monitoring page.

1). "Known issues" could also mention agent checks. The section could be something like this:

=== HTTPS checks ===

Web scenarios using https protocol and agent checks net.tcp.service[https...] and net.tcp.service.perf[https...] may fail if the target server is configured to disallow TLS v1.0 protocol or below. Please see ... for more information and available workarounds.

2). In that case the link on web monitoring page could be changed to "See also known issues for web monitoring using https protocol.".

3). Also 2 links to "known issues" could be added to agent items page where net.tcp.service and net.tcp.service.perf are described.

martins-v Thanks for the suggestions. Updated sections: known issues and web monitoring. Linked from the agent item page as well.

<dimir> Thanks! Made a small change on the agent page:

See also known issues
"for service checks using HTTPS protocol" -> "of checking HTTPS service"

martins-v Thanks, looking good to me.

Looks like documentation part is in place now we just need to fix it.

Hi, we have deployed cURL 7.45 on a custom location and compiled zabbix server against that library but we are still facing the problem. Is that expected?

Zabbix 2.4
RHEL 6.6

The issue is still not resolved.

This is critical for us. We are not able to allow TLS1.0 due to PCI-DSS regulations, and are now unable to monitor some of our applications.

Is there an ETA for a fix? Our web scenarios broke after implementing TLSv1.2.

Greetings. With the recent release of Zabbix v3.0, is the issue documented in this JIRA now resolved?

Hi Jinesh, we tested on the latest 3.0 beta and the issue is still occurring. -Thanks

This problem has 2 causes.
1. Zabbix server does not set CURLOPT_SSLVERSION on curl_easy_setopt() for Web monitoring.
So, libcurl uses the default value, i.e. CURL_SSLVERSION_DEFAULT, which includes 2 protocols of SSLv3 and TLSv1. But TLSv1 is simply TLS v1.0 and does not include TLS v1.1 and TLS v1.2.
See curl_easy_setopt manual, $ man curl_easy_setopt
In bottom, for accepting TLS v1.1 and v1.2 monitoring, Zabbix server must be implemented CURLOPT_SSLVERSION.

2. libcurl may not support TLS v1.1 and TLS v1.2. In previous RHEL 6.x libcurl does not support TLS v1.1 and TLS v1.2 and since 7.19.7-43 starts to support.
So, for monitoring libcurl must be updated.

In the bottom, I attached 2 patches.
1. SSLv2 and SSLv3 are dropped. Currently they are unsecure and in many web servers they are not acceptable.
zabbix-2.0.16-force-tlsv1.x.patch

2. It accepts new format for url column, such as tlsv1@https://... This is compatible for current Zabbix server implementation.
zabbix-2.0.16-add-tlsv1.x-option.patch

In my research, this is the bug that RHEL's implementation is not enough for cURL package.
Ideally, cURL package should be fixed and I attached the patch.

In latest cURL(7.48.0), this is already fixed. In addition, SSLv2 and SSLv3 are not used and only TLS v1.x are used in default.

This problem was fixed by RedHat on RHEL 6.8, upgrading libcurl library solve this issue.

Am not seeing this fixed with Zabbix 3.0 and 3.2 on RHEL7, libcurl 7.51, openSSL 1.0.1e. My web monitoring still fails.

If this problem can not be resolved when after curl update. You should also update - curl dependency packages. (Especially nss, nss-util, nspr ...)

Just checked on CentOS 7:

Compiled Zabbix agent:

./configure --enable-agent --with-libcurl --with-openssl
...
checking for the version of libcurl... 7.29.0
...
make install

Checked net.tcp.service and Web scenarios on server with disabled TLSv1 server.py and everything is working fine.
Looks like a libcurl version issue, so, ticket may be closed.

Is this still a thing or can be closed?