Windows Server 2012 R2, Windows 10

hi all,

i need that feature. i am wondering why it was compiled without, since cert authentification of agentd is part of a new feature of zabbix3.0.0

I can understand that it not being automatically compiled, they're not going to assume we want a particular encryption.

But I cannot find any help or documentation on how to compile ourselves.

Documentation requested at ZBXNEXT-3168.

Hi Guys,

I am not a developer and I can count the number of times I have compiled programs (out of necessity) on my 2 hands. I am sure for the guys who are comfortable with compiling apps and do it on a regular basis will be fine with compiling an agent for their needs in very little time.

With that in mind would someone mind compiling one with the TLS support and just add it to the downloads page with the other precompiled binaries?

I am sure this would be quicker than me asking for assistance everytime I come up with an error during the compile process.

In "Zabbix-Agent-with-OpenSSL-1.0.2c.zip", please find attached Zabbix 3.0.1 32-bit binaries for Windows compiled with OpenSSL 1.0.2c. If you need other architectures or library versions, please let me know.

Hi.
Please for Windows 64-bit binaries.

Please try "Zabbix-Agent-with-OpenSSL-1.0.2f-x64.zip".

@Aleksandrs Thanks for the binaries, very grateful for your time. Do you also have a LIBEAY32.dll the binary does not want to run without it?

@Aleksandrs Thanks for the binaries, That worked!

Please find "Zabbix-3.0.1-with-OpenSSL-1.0.2c-x86.zip" and "Zabbix-3.0.1-with-OpenSSL-1.0.2f-x64.zip" attached. They should have the necessary OpenSSL DLL files inside.

Expanding on @Aleksandrs work. The attached zip includes msvcd120.dll as well as a basic conf file sourced from the template on the Downloads page for v3.0.0 for both x86 and x64. I have just tested by dropping the x64 package onto a server without visual studio run times and it works a treat using psk enc.

I did some investigation and here are some details:

Zabbix agent requires 2 dll files to perform encryption: ssleay32.dll, libeay32.dll
A page https://wiki.openssl.org/index.php/Binaries suggests a few sources for such binaries.
The 1st link https://slproweb.com/products/Win32OpenSSL.html suggest binaries which depends on a "msvcr120.dll" file.
The "msvcr120.dll" file comes from Visual C++ Redistributable Packages for Visual Studio 2013
Note here version issued in 2013 - it's very important. 2015 and 2012 versions do not provide such a file.
Correct way to resolve the dependency is to install Microsoft Visual C++ Redistributable 2013. Direct link to download from Microsoft site is https://www.microsoft.com/en-us/download/details.aspx?id=40784

2nd link https://indy.fulgan.com/SSL/ suggests binaries which do not depend on the Microsoft Visual Studio Runtime DLLs, except for the system provided msvcrt.dll (which is installed by default).

I've tested openssl-1.0.2f dlls from the 2nd link while C++ Redistributable 2013 was NOT installed and zabbix agent was able to work successfully with PSK encryption.
It's possible to check for example using a Process Explorer , and make sure that the msvcr120.dll is not loaded by running zabbix agent.
So, I personally would prefer to use openssl dlls from the 2nd link to run zabbix agent to monitored hosts.
The 2nd link contains only 2 dll files in a zip archive, which is better than many dlls and in an exe installer from 1st link.

Another point worth to mention is that location on openssl dll files.
These files may be installed system-wide together with another software which needs them. For example PHP, OpenVPN, Nmap etc for Windows.
Usually such software adds location of such files to a PATH environment variable, so they can be found/used by any other application.
It's easily possible that such installed dlls are outdated and do not work as expected for encryption. Such case happened with me and other users in the past for vmware management console.
So, to make sure that agent is using desired dlls, the most easy way is to place these 2 dlls in the same folder when zabbix_agentd.exe is located.
I think it's not so bad approach to suggest in official documentation.

I think that Zabbix should not distribute openssl dlls together with zabbix agent binaries, especially with the binary from Microsoft.
Just links where to download required dlls should be provided.

I think that Zabbix should not distribute openssl dlls together with zabbix agent binaries, ...

An important point in this regard then is documenting with which OpenSSL version Zabbix agent was compiled, so that users can download (or find on their own system) an appropriate version of OpenSSL DLL's.

Quoting https://www.openssl.org/policies/releasestrat.html :

Letter releases, such as 1.0.1a, exclusively contain bug and security fixes and no new features. Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and are likely to contain new features, but in a way that does not break binary compatibility. This means that an application compiled and dynamically linked with 1.0.0 does not need to be recompiled when the shared library is updated to 1.0.2.

So if we compile Zabbix agent with OpenSSL 1.0.2c, users will be able to use OpenSSL 1.0.2f without problems, but will probably have to recompile the agent if they wish to upgrade to OpenSSL 1.1.0.

Has anyone thought about using the mbed TLS library instead of OpenSSL for this purpose? It may have less dependencies and it's released under the Apache license.

The documentation recommends it over OpenSSL for PSK usage, anyway.

This is what we were doing when testing encryption with Zabbix agent on Windows and mbed TLS.

Installing mbed TLS

• download cmake from here (use Windows (Win32 Installer) version, during installation choose to install to system PATH for all users)
• download the latest stable mbed TLS library from here (as of this article the latest stable version is 1.3.10)
• unpack mbed TLS tarball e. g. to \tmp\mbedtls
• open command-line application (cmd.exe)
• go to \tmp\mbedtls
• run commands:

  cmake -D CMAKE_BUILD_TYPE=Release -D CMAKE_C_FLAGS_RELEASE="/MT /O2 /Ob2 /D NDEBUG" CMakeLists.txt
  nmake
  

Compiling Zabbix with mbed TLS support

• go to Zabbix sources directory
• go to build\win32\project
• run command (use Makefile_agent_x64 for 64-bit version):

  nmake -f Makefile_agent TLS=mbedtls TLSINCDIR="\tmp\mbedtls\include" TLSLIBDIR="\tmp\mbedtls\library"
  

  Alternatively you can specify full path to static mbed TLS library (and this is the only option if your mbed TLS library is named differently):

  nmake -f Makefile_agent TLS=mbedtls TLSINCDIR="\tmp\mbedtls\include" TLSLIB="\tmp\mbedtls\library\polarssl.lib"
  

@Aleksandrs Saveljevs
Can you compile the Windows-64 bit binaries with GnuTLS please?

Morten, please find "Zabbix-3.0.3-with-GnuTLS-3.3.13-x86.zip" and "Zabbix-3.0.3-with-GnuTLS-3.4.9-x64.zip" attached.

Where do I get or how to compile
Zabbix Agent 3.0.4 openssl 1.0.2h Win64

It is possible, to published Windows binaries for zabbix version 3.2.0 also??

Attaching the following compiled binaries for Zabbix 3.2.0:

• Zabbix-3.2.0-with-GnuTLS-3.4.9-x64.zip
• Zabbix-3.2.0-with-GnuTLS-3.4.9-x86.zip
• Zabbix-3.2.0-with-OpenSSL-1.0.2h-x64.zip
• Zabbix-3.2.0-with-OpenSSL-1.0.2h-x86.zip

Could you please try running them and see if they work?

I tested Zabbix-3.2.0-with-GnuTLS-3.4.9-x64.zip and Zabbix-3.2.0-with-OpenSSL-1.0.2h-x64.zip.
Both are working. Connection to zabbix server is established flawless using TLSConnect=psk.

Using zabbix_agentd.exe with foreground option works. But using it as a windows service does not work.
As soon as TLSConnect=psk is activated in configuration, service terminated immediately after starting.
Windows throws the following error:

Windows cloud not start die Zabbix Agent service on Local Computer
Error 1067: The process terminated unexpectedly.

Running zabbix agent as service without encryption works as expected.
Tested on Windows Server 2012 R2.

Using nssm.exe to register zabbix agent as service works as a workaround.

C:\Program Files\zabbix>nssm.exe install Zabbix "C:\Program Files\zabbix\zabbix_agentd.exe" -f -c zabbix_agentd.conf
Service "Zabbix" installed successfully!

Thorsten, thanks for testing! I tried 32-bit binaries and they seem to work as a service with certificates and PSK on Windows Server 2008 (update: 64-bit binaries also work with PSK), but that might be a topic for discussion elsewhere (either on https://www.zabbix.org/wiki/Getting_help or a different JIRA issue if it turns out to be a bug).

While the full documentation will be handled in ZBXNEXT-3168, this comment attempts to document how the Zabbix 3.2.0 binaries above were built.

As mentioned by zalex_ua in one of the comments above, there are two main sources for Windows binaries for OpenSSL: (A) https://slproweb.com/products/Win32OpenSSL.html and (B) https://indy.fulgan.com/SSL/ . The first provides binaries that depend on some Microsoft DLL, the second is free of that dependency. Therefore, if we decide to distribute Zabbix agent together with OpenSSL libraries, we should probably choose (B).

However, source (B) provides dynamic libraries at https://indy.fulgan.com/SSL/ and static libraries at https://indy.fulgan.com/SSL/LinkLibs/ , but it does not provide OpenSSL headers, which are required for building. Fortunately, those are provided in source (A). So my approach was to use headers from (A) and static libraries from (B) for building the binaries, and then package them with dynamic libraries from (B).

For GnuTLS, it was much simpler - precompiled binaries from ftp://ftp.gnutls.org/gcrypt/gnutls/w32/ were used.

Regarding ABI compatibility, there is a nice release strategy for OpenSSL mentioned in this comment, which basically says that users can upgrade OpenSSL dynamic libraries from 1.0.x to 1.0.y without recompiling Zabbix binaries.

For GnuTLS, I have not found such a statement. However, the following quote from http://www.gnutls.org/devel.html looks promising:

Our goal is to deliver a stable API and ABI for the library, but on certain major releases we have decided to break the ABI in order to deprecate old APIs and avoid clutter. To ensure API and ABI stability we rely on abi-compliance-checker and other tools.

They also have a nice ABI tracker at https://gnutls.org/abi-tracker/timeline/gnutls/index.html , which shows that backward-incompatible changes tend to only be done in major releases (the second number in the version).

Regarding distribution, if we decide to include OpenSSL and GnuTLS libraries, zalex_ua suggested to also include a README.txt file, which describes where these libraries come from.

One question in this regard is a legal one. For instance, OpenSSL FAQ states (see https://www.openssl.org/docs/faq.html#LEGAL2 ):

2. Can I use OpenSSL with GPL software?

On many systems including the major Linux and BSD distributions, yes (the GPL does not place restrictions on using libraries that are part of the normal operating system distribution).

On other systems, the situation is less clear. Some GPL software copyright holders claim that you infringe on their rights if you use OpenSSL with their software on operating systems that don't normally include OpenSSL.

If you develop open source software that uses OpenSSL, you may find it useful to choose an other license than the GPL, or state explicitly that "This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed." If you are using GPL software developed by others, you may want to ask the copyright holder for permission to use their software with OpenSSL.

In this particular case, it is probably apparent that we do not mind that Zabbix is being used with OpenSSL, because we specifically develop for it.

Then there is also this note at https://www.openssl.org/source/ :

Legalities

Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention to any laws or regulations which apply to you. The authors of openssl are not liable for any violations you make here. So be careful, it is your responsibility.

Not a lawyer, so not sure how scary that is to put OpenSSL and GnuTLS binaries on our website.

zalex_ua If take into account how other software, who uses openssl for example, we see that they include the libraries to their windows installers/archives. For example PHP, OpenVPN and probably many other.
Picture of fresh downloads:
PHP provides a zip archive, where in root we see 2 openssl DLLs. Binaries with the same version/arch as in zabbix (1.0.2h) has different size. It looks like it does require one of MS VC <NN> installed.

OpenVPN provides an installer, where default option is to install OpenSSL DLLs locally is enabled. Locally - means copy them to openvpn*.exe files installation path. There are 2 other libs, installed the same way. Looks like MS VC <NN> is not required.

So other software, say similar to zabbix, go that approach, and I don't see reasons zabbix could not do the same.
Don't even want to think about different licenses because it will be nightmare.

OpenSSL DLLs suggested by zabbix (source B), in difference with the PHP/OpenVPN, has one additional property "Comment":

Compiled by Frederik A. Winkelsdorf (opendec.wordpress.com) for the Indy Project (www.indyproject.org)

that's useful.

But I'd still include a README.txt (or something like that, like DLL-NOTES.txt, it would be even better) in archives with zabbix agent, where would mention source of these files.

For OpenSSL binaries, we should decide whether we wish to compile with OpenSSL 1.0.x or OpenSSL 1.1.0. The latter is possible since ZBX-11149.

Compiling with OpenSSL 1.1.0 adds some Perfect Forward Secrecy ciphersuites for PSK, on the other hand it is very new. If possible build with both libraries. Users can choose.

It is possible, to published Windows binaries for zabbix version 3.2.0 for PSK ????

If you aren't going to include TLS support in the pre-compiled Windows binaries at least put a better error in the agent log file when it quits because the TLS parameters are not supported. In the default state of debug=3 there is nothing at all in the log, even though it fatal errors and exits.

I compiled version 3.2.3 with GnuTLS 3.4.9 for 64-bit Windows. It can be downloaded here: https://gitit.de/sathya/zabbix-agent-windows-x64-gnutls/

Is there any plan to release official Zabbix Agent binaries for Windows with PSK?
Customers don`t understand that Zabbix does not release one.

Will try to get some attention to this.

We need more votes to get attention to this task. Please ask more people to vote for it.

Voted, this would be really to have out of the box from the zabbix official site.

Already voted !

A vote from me, too.

please note that comments are not votes and only make the issue less likely to be checked by the developers - they have more comments to read through
see http://zabbix.org/wiki/Docs/bug_reporting_guidelines for more detail

Any special place where to put those .dlls files? I can't start the services.

This works:

zabbix_agentd.exe --multiple-agents --install --config <config_file_1>
zabbix_agentd.exe --multiple-agents --install --config <config_file_2>

This don't:

zabbix_agentd.exe --multiple-agents --start --config <config_file_1>
zabbix_agentd.exe --multiple-agents --start --config <config_file_2>

The error is: "The service did not respond to the start or control request in a timely fashion."

config file 1:

TLSConnect=unencrypted
TLSAccept=unencrypted
TLSPSKFile=foobar
TLSPSKIdentity=my-psk
HostnameItem=system.run[echo unencrypted-%COMPUTERNAME%]
HostMetadata=123 windows
Timeout=15
ServerActive=<server-ip>
RefreshActiveChecks=60
Server=<server-ip>
LogType=system

config file 2:

TLSConnect=psk
TLSAccept=psk
TLSPSKFile=foobar
TLSPSKIdentity=my-psk
HostnameItem=system.run[echo psk-%COMPUTERNAME%]
HostMetadata=123 windows
Timeout=15
ServerActive=<server-ip>
RefreshActiveChecks=60
Server=<server-ip>
LogType=system

What I found so far is that when removing all TLS* options agent will start. But it won't start when setting TLSPSKIdentity or TLSPSKFile no matter if you've set TLSAccept or TLSConnect to unencrypted.

Anyway, trying to use psk encryption is a no go for me with: Zabbix-3.2.0-with-OpenSSL-1.0.2h-x86 and Zabbix-3.2.0-with-GnuTLS-3.4.9-x86. Any ideas if I need to put those .ddl's in some specific directory? I've tried putting them in C:\Windows\System32 with no luck.

Found the issue... A bad generated hex string inside the psk file. Weird. I think something may be wrong in the agent code. Why would the process hang when setting TLSAccept=unencrypted and having an invalid psk file, it should be ignored.

Oh, BTW, important note: the PSK file MUST end with a newline. That's more weird indeed.

Zabbix-3.2.4-with-mbed-TLS-1.3.19-x64 https://yadi.sk/d/PS-W6cXJ3HGmwQ
Zabbix-3.2.4-with-mbed-TLS-1.3.19-x86 https://yadi.sk/d/Rd0rMo3B3HGmwe

Zabbix-3.2.5-with-mbed-TLS-1.3.19-x64 https://yadi.sk/d/y5JiVTJO3HMhSn
Zabbix-3.2.5-with-mbed-TLS-1.3.19-x86 https://yadi.sk/d/LZof5CfE3HMhSv

Hi,

I have tried all the openssl builds, but with all if them I keep on getting the error below, the CA is a local server.
The CA certificates are working fine with Linux and Mac OSX clients.
I couldn't find much online abt this error. Can anyone please suggest what I need to do?

========
cannot load CA certificate(s) from file ""c:\Program Files\Zabbix\ssl\certs\ca.pem"": file .\crypto\bio\bss_file.c line 175: error:0200107B:system library:fopen:Unknown error: fopen('"c:\Program Files\Zabbix\ssl\certs\ca.pem"','r') file .\crypto\bio\bss_file.c line 180: error:2006D002:BIO routines:BIO_new_file:system lib file .\crypto\x509\by_file.c line 253: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
========

The error above was caused by quotations around the file path

TLSAccept=cert
TLSConnect=cert
TLSCAFile="c:\Program Files\Zabbix\ssl\certs\ca.pem"
TLSCertFile="c:\Program Files\Zabbix\ssl\certs\steveb-w10-van.uds.anu.edu.au.pem"
TLSKeyFile="c:\Program Files\Zabbix\ssl\private_keys\steveb-w10-van.uds.anu.edu.au.pem"

removing them resolved the error

I downloaded 'Zabbix-3.2.5-with-mbed-TLS-1.3.19-x64' compiled by Alexander. However, Windows Defender deleted it immediately as it said it contained a trojan.

A zabbix supported precompiled version would be greatly appreciated.

Zabbix agent 3.2.6 availible?

Zabbix agent 3.4 availible?

Zabbix-3.4.1-with-GnuTLS-3.6.0.1-x86_64 https://drive.google.com/open?id=0ByXlAhQQidqSLU1jREpRM0VaTzA
Zabbix-3.4.1-with-OpenSSL-1.1.0f-x86_64 https://drive.google.com/open?id=0ByXlAhQQidqSZUlWQmtJUGN2SnM

Please note that Zabbix agents in attachments are neither compiled by current Zabbix employees nor supported by Zabbix.

The real problem is, there is no supported Windows Agent with Encryption, but Zabbix advertises with Enterprise Ready and encryption.
See here: https://www.zabbix.com/enterprise_ready (Paragraph Security)
No word about that there is no official supported agent for Windows by Zabbix itself. The most customers and Zabbix Users also have
Windows systems, they would like to monitor and use Encryption. It's beyond their comprehension why there is encryption support in Zabbix but not for the windows systems.
This change request is open since near two years, hope that Zabbix would react to this in the future.

Hello, today I successfully compiled zabbix agent 3.0.11 with TLS support (openssl 1.1.0f) on Windows 10 Pro using VS2015 with the steps:

1. Download Visual C++ 2015 Build Tools from http://landinghub.visualstudio.com/visual-cpp-build-tools (direct link: http://go.microsoft.com/fwlink/?LinkId=691126)
2. Install Visual C++ 2015 Build Tools with checked SDK for Windows 10
3. Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src
4. Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to sucessfully compile:
   • Change line in resources.rc file from #include "afxres.h" to #include "windows.h"
   • Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o
5. Download and install OpenSSL 1.1.0f (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html
   • For compile 32-bit zabbix agent download Win32 OpenSSL v1.1.0f - https://slproweb.com/download/Win32OpenSSL-1_1_0f.exe
   • For compile 64-bit zabbix agent download Win64 Win64 OpenSSL v1.1.0f - https://slproweb.com/download/Win64OpenSSL-1_1_0f.exe
6. Run VC2015 shell using Start\Programs\Visual C++ Build Tools\Windows Desktop Command Prompts
   • For compile 32-bit zabbix agent run Visual C++ 2015 x86 Native Build Tools Command Prompt
   • For compile 64-bit zabbix agent run Visual C++ 2015 x64 Native Build Tools Command Prompt
7. cd to extracted zabbix sources, subfolder build\win32\project:
   • CD C:\zabbix_src\build\win32\project
8. Run nmake with these parameters:
   • For compile 32-bit zabbix agent run: nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib"
   • For compile 64-bit zabbix agent run: nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib"
   • Note: Before running another compilation, please create empty copy of zabbix sources, simple "nmake clear" is not enough.
9. Compiled binaries will be in:
   • For 32-bit: C:\zabbix_src\bin\win32
   • For 64-bit: C:\zabbix_src\bin\win64
10. Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe)
    • For 32-bit: C:\OpenSSL-Win32\bin\msvcr120.dll, C:\OpenSSL-Win32\libcrypto-1_1.dll, C:\OpenSSL-Win32\libssl-1_1.dll
    • For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll
11. Enjoy zabbix agent with TLS
12. Check compiled TLS support in zabbix_agentd log file: TLS support: YES

I only tested VS2015, but 2017 will probably work too.
I hope this helps.

Thanks, sh0thub, for sharing !
VS 2017 RC Community Edition works, too.

I successfully compiled also zabbix agent 3.4.2 with TLS support (openssl 1.1.0f) on Windows 10 Pro using VS2015. Due to new dependency for zabbix 3.4 (PCRE library), there are little more steps in this howto. I tested only 64-bit agent, but 32-bit should work too...

1. Download Visual C++ 2015 Build Tools from http://landinghub.visualstudio.com/visual-cpp-build-tools (direct link: http://go.microsoft.com/fwlink/?LinkId=691126)
2. Install Visual C++ 2015 Build Tools with checked SDK for Windows 10
3. Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src
4. Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to sucessfully compile:
   • Change line in resources.rc file from #include "afxres.h" to #include "windows.h"
   • Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o
5. Download and install OpenSSL 1.1.0f (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html
   • For compile 64-bit zabbix agent download Win64 Win64 OpenSSL v1.1.0f - https://slproweb.com/download/Win64OpenSSL-1_1_0f.exe
6. Download PCRE library (new mandatory library for zabbix 3.4) from pcre.org, version 8.XX, not pcre2 (ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.zip)
7. Extract to directory C:\pcre-8.41
8. Install CMake from https://cmake.org/download/, during install select: Add CMake to system PATH for all users (tested version 3.9.4)
9. Run VC2015 shell using Start\Programs\Visual Studio 2015\Visual Studio Tools\Windows Desktop Command Prompts\
   • For compile 64-bit zabbix agent run VS2015 x64 Native Tools Command Prompt
10. Create directory build in C:\pcre-8.41
    • cd C:\pcre-8.41
    • mkdir build
    • cd build
11. Run cmake command:
    • cmake -G "Visual Studio 14 2015 Win64" -DPCRE_SUPPORT_UNICODE_PROPERTIES=ON -DPCRE_SUPPORT_UTF=ON -DCMAKE_C_FLAGS_RELEASE:string="/MT" ..
12. Compile pcre library with:
    • msbuild PCRE.sln /property:Configuration="Release"
13. cd to extracted zabbix sources, subfolder build\win32\project:
    • CD C:\zabbix_src\build\win32\project
14. Run nmake with these parameters:
    • For compile 64-bit zabbix agent run: nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib" PCREINCDIR=c:\pcre-8.41 PCRELIBDIR=c:\pcre-8.41\build\Release
15. Note: nmake without specified Makefile compile zabbix_agentd, zabbix_sender, zabbix_get and zabbix_sender_dll. If you only want one component, add corresponding parameter at the end of nmake command:
    • /f Makefile_agent
    • /f Makefile_get
    • /f Makefile_sender
    • /f Makefile_sender_dll
16. Compiled binaries will be in:
    • For 64-bit: C:\zabbix_src\bin\win64
17. Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe, or zabbix_sender, zabbix_get)
    • For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll

It would be great, to have officially support for TLS, so you can't compile own agent...
Happy compiling...

Hello friends,

could somebody give me an advice, where to get compiled Windows agent version 3.4.4 (with PSK)? If I understand correctly, I would need it to use new

low-level-discovery macro according to https://www.zabbix.com/documentation/3.4/manual/installation/upgrade_notes_344.

Does somebody have environment prepared for such compilation, e.g. as described above by sh0thub?

Thank you in advance.

Jano

Hello Jano,
I also needed new version of zabbix-agent 3.4.4, because I recently upgraded my server, so I compilled 64-bit zabbix windows agent with TLS support, using newest OpenSSL 1.1.0g, so you can try it on your own. I uploaded it here, please check attachment at top of the page:

• zabbix-3.4.4-openssl1.1.0g-win64.zip

Happy monitoring

Thank you, sh0thub. Would this be able to handle also TLS, using PSK, or not? We are using this type of encryption...

Hello Jano, yes of course you can use PSK or TLS certificates if you want. I have already tested PSK with compilled version of zabbix 3.4.4, and worked for me without problems. I use active agent and have configured these parameters in zabbix_agentd.conf:
TLSConnect=psk
TLSPSKIdentity=name_of_PSK_identity
TLSPSKFile=C:\Program Files\Zabbix Agent\zabbix_agentd.key

Zabbix manual has very good explanation:
https://www.zabbix.com/documentation/3.4/manual/encryption/using_pre_shared_keys

sH0thub Can you compile a 32bit version?

Hello Alfred, today I compiled 32-bit and 64-bit version of zabbix-agent 3.4.6. Please see attached files on top of this page:

• zabbix-3.4.6-openssl1.1.0g-win32.zip
• zabbix-3.4.6-openssl1.1.0g-win64.zip

Zabbix agent 3.4.6 with TLS support (Openssl 1.1.0g)

Thanks sh0thub, the problem is that there is a bug with 3.4.6 which has me forced to keep with 3.4.4 until the bug is fixed. Can I kindly ask if you can compile 3.4.4 for win32.

The bug is this one: https://support.zabbix.com/browse/ZBX-13340

Also I would like to contribute with a link to a powershell script for remote installation that I have found on the zabbix forums in case some of you don't have it. According to the script is made by Pierre-Emmanuel Turcotte, so credits to him. It works really well.

https://gist.github.com/GambitK/dc63acf5200bc5bd6667b5c6fcc9a4c0

your agents don't have to be the same version as your frontend, you can use 3.4.6 agent with any 3.4.x version of server or frontend

hi i have problem with tls on windows 2012R2 *64(windows test)
(invalid PSK in file "C:\path\file.psk.)
and i have tutorial form zabbix " https://www.zabbix.com/documentation/3.0/manual/encryption/using_pre_shared_keys#generating_psk"
on agent.log i have
TLS support: YES
IPv6 support: YES
but not work !
any help ?

Hi armshadid, you probably have wrong psk file, please check that:

• Psk file have to contain only generated psk hex key string, not psk identity
• I recommend using openssl command, because it generates only psk hex string without identity: openssl rand -hex 32
• Psk file have to contain empty new line at the end of file

Please check also zabbix documentation
https://www.zabbix.com/documentation/3.0/manual/encryption/troubleshooting/psk_problems

Hope this helps

thank you

Hey Guys. I downloaded the "Zabbix-3.2.7-with-mbed-TLS-1.3.21-x86-64.zip" and re installed the agent using zabbix_agentd.exe. However when i try to start the agent with psk it still throws me the same error.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

zabbix_agentd.exe --start
zabbix_agentd.exe [4796]: ERROR: cannot start service [Zabbix Agent]: [0x0000041
D] The service did not respond to the start or control request in a timely fashi
on.

C:\windows\system32>
I tried 3.2.5 as well. No luck. TLS support says YES in the logs.

13076:20180205:084141.278 Starting Zabbix Agent [Windows host]. Zabbix 3.2.5 (revision 67445).
13076:20180205:084141.279 **** Enabled features ****
13076:20180205:084141.280 IPv6 support: YES
13076:20180205:084141.280 TLS support: YES
13076:20180205:084141.281 **************************

Please help

Hello Karthik, it is better before starting windows service to start zabbix_agentd.exe using command line, because if there is an error, zabbix will only print it on console window. So please try to start command line, and run manually zabbix_agentd.exe in foreground:
zabbix_agentd.exe -c c:\zabbix\zabbix_agentd.conf -f

Check output of console window, zabbix_agentd will probably print error message there.
Hope this helps find a problem.

Thanks so much. I broke my head full day yesterday on this.
I fixed the issue with your help
I would treat you beer right now... xD

Whats the reason for cancelling the planned official Installer?

I have managed to successfully compile the zabbix windows agent using the guide by sh0thub.

What I will say is that I DID NOT like having the PSK stored in a plain text file!!! nor using someone else's compiled agent in production.

Now I'm not a native c programmer but what I did was to edit the tls.c file found in the 'src\libs\zbxcrypto\' folder and changed the zbx_read_psk_file(void) method to provide a hard coded PSK within the executable...

char	buf[HOST_TLS_PSK_LEN_MAX + 2] = "oxbeefoxbeefoxbeefoxbeefoxbeefoxbeefoxbeefoxbeefoxbeefoxbeef";

I had to edit out many of the file value checks as well...

This may not be the best way to achieve what I'm after however the code compiles (for me) and allows me to hard code a PSK into the agent.

I only use the agent in passive mode so there may be issues with my changes in active mode (but I doubt it)

I still have to set all the relevant PSK options in the .conf file including specifying a PSK file path however the file does not need to actually exist.

hi all, please i need
zabbix-3.4.7-openssl1.1.0g-win32.zip
zabbix-3.4.7-openssl1.1.0g-win64.zip

Hello Marek, you don't have to use the same version of agent and server. So if you use zabbix-server 3.4.7, you necessary don't have you use same version of agent. You can use any lower agent version 3.4.x with no problem and then also lower agent versions for example 2.2.x or 3.0.x LTS, if you don't need features of newer version of agent. Newer agent versions is only necessary if it fixes some bug you encounter. So please check if 3.4.7 fixes some problem:
https://www.zabbix.com/rn/rn3.4.7

If not, you can use 3.4.6 version of zabbix agent with no problem.

Check documentation: https://www.zabbix.com/documentation/3.4/manual/installation/upgrade?s[]=upgrade#agent_upgrade_process
It says: Upgrading agents is not mandatory. You only need to upgrade agents if it is required to access the new functionality.

Happy monitoring

Hi sh0thub, thanks for the explanation.

Marek

After using the command:

zabbix_agentd.exe -c c:\zabbix\zabbix_agentd.conf -f

to get message outputs it became clear to me that there is a dependency in using TLSConnect= in the agent configuration file with other parameters such as TLSAccept=, TLSCertFile=, etc.

Basically, it looks like the only way to use TLS with certificates is if it is set up in both directions (TLS Certificate from the server to agent AND TLS Certificate from agent to the server). It seems outward bound connection from the agent alone to the server can't be used with certificates, only PSK works. Right now PSK is working just fine and I am using the 3.4.6 compiled with TLS support from the top of this board.

Is that true or am I missing something?

I have setup the zabbix server with the certificate and its chain pem files with the zabbix server conf configured correctly but certificates are not working because I can't start the agent.

When I try to start the agent it keeps telling me I need to configure the other settings needed for agent-side certificates like the agent certificate, key, CA file, etc. Without that command above I wouldn't even be able to tell that because it doesn't even start. No logs get generated on either the agent or server side.

What I am trying to setup is an active agent with TLS using a public certificate on the zabbix server. That means no passive checks and no certificate needed for inbound connections from the zabbix server because it never happens. Can this be done or is this a feature that is not yet available? Or am I missing something?

Hello,

I build and tested zabbix-agent v3.4.8 x64 + OpenSSL 1.1.0g

it works fine

zabbix-3.4.8-openssl1.1.0g-win64.zip

I've compiled Zabbix agent v3.4.10 (x86 & 64bit) w/OpenSSL 1.1.0h

https://github.com/mortis304/Windows-zabbix_agentd

Comment:

It's very cool that community members are creating and linking builds here. However, for security reasons, I believe I must build my own. If I have to "trust" a binary, it should come from the manufacturer. Otherwise there is the possibility that something is infected somehow.

I plan to compile from source using sh0thub's instructions here comment-243402 which is much appreciated as I don't have any current VS skills.

Questions:

1. Why does anyone need a 64 bit agent? Windows 64 will run 32 bit binaries. The agent should not need > 4 GB of RAM so why do we care?

2. I'm planning to setup the Dev environment on a Win7 32 bit VM. I'm going to use VS2015 not VS2017 as the older rev looks like it needs less RAM. From googling, it looks like I should be able to still build 64 bit binaries from the 32 bit dev environment, right?

Thanks!

Mark

 The best would be an official release because:

• then everybody can use this function
• a lot of people can save time

I'm hacker, not a developer Can someone help with the assert.h error below?

I am trying to follow the guide by sh0thub

I am trying this from a Windows 10 VM downloaded from Microsoft with full Visual Studio. I previously got the same results from a Windows 7 32 bit VM using the recommended CLI download, so it must be something I am doing wrong.

C:\zabbix_src\zabbix-3.4.10\build\win32\project>nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib" PCREINCDIR=c:\pcre-8.41 PCRELIBDIR=c:\pcre-8.41\build\Release

Microsoft (R) Program Maintenance Utility Version 14.00.23506.0
Copyright (C) Microsoft Corporation.  All rights reserved.

        nmake /f Makefile_agent

Microsoft (R) Program Maintenance Utility Version 14.00.23506.0
Copyright (C) Microsoft Corporation.  All rights reserved.

        mc.exe -U -h ".
" -r ".
" messages.mc
MC: Compiling messages.mc
        cl.exe ..\..\..\src\libs\zbxalgo\algodefs.c /Fo"..\..\..\src\libs\zbxalgo\algodefs.o" /I ..\..\..\src\zabbix_agent /I .\ /I ..\include /I ..\..\..\include /I "c:\pcre-8.41" /I "C:\OpenSSL-Win32\include"  /D WITH_AGENT_METRICS /D WITH_COMMON_METRICS /D WITH_SPECIFIC_METRICS  /D WITH_HOSTNAME_METRIC /D WITH_SIMPLE_METRICS /Zi /Fdzabbix_agentd.exe.pdb /nologo /O2 /Ob1 /GF /FD /EHsc /MT /Gy /W3 /c /D _WINDOWS /D _WIN32_WINNT=0x0501  /D _CONSOLE /D UNICODE /D _UNICODE /D HAVE_WINLDAP_H /D HAVE_ASSERT_H  /D ZABBIX_SERVICE /D "_VC80_UPGRADE=0x0600" /D HAVE_IPV6 /TC /DPCRE_STATIC /DHAVE_OPENSSL
algodefs.c
c:\zabbix_src\zabbix-3.4.10\include\sysinc.h(34): fatal error C1083: Cannot open include file: 'assert.h': No such file or directory
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\SDK\ScopeCppSDK\VC\bin\cl.exe"' : return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\SDK\ScopeCppSDK\VC\bin\nmake.EXE"' : return code '0x2'
Stop.

Hello Mark,

you probably missing Windows 10 SDK, which also contains headers files such as assert.h etc

 The best would be an official release. Can someone check this?

sh0thub, thanks for replying!

I am using Microsoft's free VM image with Windows 10 and developer stuff already baked in. I downloaded the Win10SDK Win10SDK Setup but when I run it, I see "The features installed on this computer are up-to-date."

I searched C drive and find assert.h in two places:

C:\Program Files (x86)\Windows Kits\10\Include\10.0.17134.0\ucrt
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\SDK\ScopeCppSDK\SDK\include\ucrt

Maybe something needs to be tweaked to tell the makefile to look there?

Any more help, much appreciated!

Mark

Hello Mark,

free VM image Windows 10 with VS2017 doesn't contains compiler for c++, so first you have to install it with this steps:

1. Start Visual Studio Installer - click Modify
2. Check item "Desktop development with C++"
3. click Modify
4. It will download necessary files for compile with C++ and add command prompt shortcuts
5. Start command prompt "x64 Native Tools Command Prompt"
6. Below I will post updated howto with cmake steps to compile pcre also for VS2017, so use it instead of previous one I posted

Hope it helps

Below you will find updated howto also for VS2017, so it will work also in VS2015 and VS2017. I changed compilation of pcre with cmake, so is compiler version independent:

This howto can be use to compile zabbix agent 3.4.X with TLS support (openssl 1.1.0h) on Windows 10 Pro using VS2015 or VS2017. I tested 32-bit and  64-bit agent compilation with success:

1. Download Visual C++ 2015/2017 Build Tools from (direct link VS2015: http://go.microsoft.com/fwlink/?LinkId=691126 or VS2017 https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=BuildTools&rel=15 ). You can also use use full VS2015 or 2017 (Community or another edition)
2. Install Visual C++ 2015/2017 Build Tools, during installation check SDK for Windows 10, or
3. If you use full VS2015/2017 during installation check "Desktop development with C++" which contains c++ compiler and SDK
4. Download zabbix source files, extract using 7-zip or another software, for example to c:\zabbix_src
5. Fix some files in zabbix sources in C:\zabbix_src\build\win32\project to successfully compile:
   • Change line in resources.rc file from #include "afxres.h" to #include "windows.h - not necessary from zabbix 3.4.6 and newer
   • Change line in Makefile_sender_dll file from ..\..\..\src\zabbix_sender\win32\zabbix_sender.o to ..\..\..\src\zabbix_sender\zabbix_sender.o
6. Download and install OpenSSL 1.1.0h (Full, not Light) from https://slproweb.com/products/Win32OpenSSL.html
   • For compile 64-bit zabbix agent download Win64 OpenSSL v1.1.0h - https://slproweb.com/download/Win64OpenSSL-1_1_0h.exe
   • For compile 32-bit zabbix agent download Win32 OpenSSL v1.1.0h - https://slproweb.com/download/Win32OpenSSL-1_1_0h.exe 
7. Download PCRE library (new mandatory library for zabbix 3.4) from pcre.org, version 8.XX, not pcre2 (ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.zip)
8. Extract to directory C:\pcre-8.41:
   • for 64-bit to c:\pcre-8.41-Win64
   • for 32-bit to c:\pcre-8.41-Win32
9. Install CMake from https://cmake.org/download/, during install select: Add CMake to system PATH for all users (tested version 3.9.4)
10. Run VC shell:
    • For compile 64-bit zabbix agent run x64 Native Tools Command Prompt
    • For compile 32-bit zabbix agent run x86 Native Tools Command Prompt
11. Create directory build, output in C:\pcre-8.41-(Win32|Win64)
    • cd C:\pcre-8.41-(Win32|Win64)
    • mkdir build
    • mkdir output
    • cd build
12. Run cmake command:
    • for 32-bit:
      • cmake -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=C:\pcre-8.41-Win32\output -DPCRE_BUILD_PCRECPP=OFF -DPCRE_SUPPORT_UNICODE_PROPERTIES=ON -DPCRE_SUPPORT_UTF=ON -DCMAKE_C_FLAGS_RELEASE:string="/MT" ..
    • for 64-bit:
      • cmake -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=C:\pcre-8.41-Win64\output -DPCRE_BUILD_PCRECPP=OFF -DPCRE_SUPPORT_UNICODE_PROPERTIES=ON -DPCRE_SUPPORT_UTF=ON -DCMAKE_C_FLAGS_RELEASE:string="/MT" ..
13. Compile pcre library with:
    • nmake install
14. cd to extracted zabbix sources, subfolder build\win32\project:
    • CD C:\zabbix_src\build\win32\project
15. Run nmake with these parameters:
    • For compile 32-bit zabbix agent run:
      • nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib" PCREINCDIR=c:\pcre-8.41-Win32\output\include PCRELIBDIR=c:\pcre-8.41-Win32\output\lib
    • For compile 64-bit zabbix agent run:
      • nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib" PCREINCDIR=c:\pcre-8.41-Win64\output\include PCRELIBDIR=c:\pcre-8.41-Win64\output\lib
16. Note: nmake without specified Makefile compile zabbix_agentd, zabbix_sender, zabbix_get and zabbix_sender_dll. If you only want one component, add corresponding parameter at the end of nmake command:
    • /f Makefile_agent
    • /f Makefile_get
    • /f Makefile_sender
    • /f Makefile_sender_dll
17. Compiled binaries will be in:
    • For 64-bit: C:\zabbix_src\bin\win64
    • For 32-bit: C:\zabbix_src\bin\win32
18. Copy these openssl dll to directory, where you built binaries (you need to copy these files to directory, where you have zabbix_agentd.exe, or zabbix_sender, zabbix_get)
    • For 64-bit: C:\OpenSSL-Win64\bin\msvcr120.dll, C:\OpenSSL-Win64\libcrypto-1_1.dll, C:\OpenSSL-Win64\libssl-1_1.dll
    • For 32-bit: C:\OpenSSL-Win32\bin\msvcr120.dll, C:\OpenSSL-Win32\libcrypto-1_1.dll, C:\OpenSSL-Win32\libssl-1_1.dll

Compiled agent 3.4.11 with TLS support you can found in attachments: zabbix-3.4.11-openssl1.1.0h-win64.zip, zabbix-3.4.11-openssl1.1.0h-win32.zip

I hope zabbix 4.0 will directly contain pre-compiled zabbix-agent with TLS support

Happy monitoring

Happy morning! Can you create a script to run on cloud instance?

[sh0thub|http://https://support.zabbix.com/secure/ViewProfile.jspa?name=sh0thub|http://https//support.zabbix.com/secure/ViewProfile.jspa?name=sh0thub],] thanks so much for your instructions!

I am now much closer, but am still having an issue when I get to the last step with nmake. I tried 32 and 64 bit but get a similar error on both. Did I maybe miss a step?

c:\zabbix_src\build\win32\project>nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib" PCREINCDIR=c:\pcre-8.41-Win32\output\include PCRELIBDIR=c:\pcre-8.41-Win32\output\lib

.........................
Lots of stuff...
then....................

Microsoft (R) Program Maintenance Utility Version 14.14.26430.0
Copyright (C) Microsoft Corporation.  All rights reserved.

        cl.exe ..\..\..\src\zabbix_sender/win32\zabbix_sender.c /Fo"..\..\..\src\zabbix_sender\win32\zabbix_sender.o" /I ..\..\..\src\zabbix_sender /I .\ /I ..\include /I ..\..\..\include /I "c:\pcre-8.41-Win32\output\include" /I "C:\OpenSSL-Win32\include"  /D NDEBUG /D ZBX_EXPORT /Fdzabbix_sender.dll.pdb /D NDEBUG /nologo /O2 /Ob1 /GF /FD /EHsc /MT /Gy /W3 /c /D _WINDOWS /D _WIN32_WINNT=0x0501  /D _CONSOLE /D UNICODE /D _UNICODE /D HAVE_WINLDAP_H /D HAVE_ASSERT_H  /D ZABBIX_SERVICE /D "_VC80_UPGRADE=0x0600" /D HAVE_IPV6 /TC /DPCRE_STATIC /DHAVE_OPENSSL
zabbix_sender.c
        link.exe ..\..\..\src\libs\zbxcommon\comms.o  ..\..\..\src\libs\zbxcommon\iprange.o  ..\..\..\src\libs\zbxcommon\misc.o  ..\..\..\src\libs\zbxcommon\str.o  ..\..\..\src\libs\zbxcommon\xml.o  ..\..\..\src\libs\zbxcommon\zbxgetopt.o  ..\..\..\src\libs\zbxcomms\comms.o  ..\..\..\src\libs\zbxconf\cfg.o  ..\..\..\src\libs\zbxcrypto\base64.o  ..\..\..\src\libs\zbxjson\json.o  ..\..\..\src\libs\zbxjson\json_parser.o  ..\..\..\src\libs\zbxlog\log.o  ..\..\..\src\libs\zbxsys\mutexs.o  ..\..\..\src\libs\zbxsys\symbols.o  ..\..\..\src\libs\zbxsys\threads.o  ..\..\..\src\libs\zbxwin32\fatal.o  ..\..\..\src\zabbix_sender\win32\zabbix_sender.o ..\..\..\src\libs\zbxcrypto\tls.o zabbix_sender.res /NOLOGO /MACHINE:X86 /DLL /INCREMENTAL:NO /MANIFEST /MANIFESTFILE:"zabbix_sender.dll.manifest"  /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /SUBSYSTEM:CONSOLE /DYNAMICBASE:NO  /PDB:..\..\..\bin\win32\dev\zabbix_sender.pdb /OUT:..\..\..\bin\win32\dev\zabbix_sender.dll ws2_32.lib psapi.lib pdh.lib Wldap32.lib advapi32.lib uuid.lib Iphlpapi.lib "c:\pcre-8.41-Win32\output\lib\pcre.lib" "c:\pcre-8.41-Win32\output\lib\pcreposix.lib" "C:\OpenSSL-Win32\lib\libcrypto.lib" "C:\OpenSSL-Win32\lib\libssl.lib"
   Creating library ..\..\..\bin\win32\dev\zabbix_sender.lib and object ..\..\..\bin\win32\dev\zabbix_sender.exp
tls.o : error LNK2001: unresolved external symbol _configured_tls_connect_mode
tls.o : error LNK2001: unresolved external symbol _configured_tls_accept_modes
tls.o : error LNK2001: unresolved external symbol _CONFIG_PASSIVE_FORKS
tls.o : error LNK2001: unresolved external symbol _CONFIG_ACTIVE_FORKS
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_CONNECT
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_ACCEPT
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_CA_FILE
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_CRL_FILE
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_SERVER_CERT_ISSUER
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_SERVER_CERT_SUBJECT
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_CERT_FILE
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_KEY_FILE
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_PSK_IDENTITY
tls.o : error LNK2001: unresolved external symbol _CONFIG_TLS_PSK_FILE
..\..\..\bin\win32\dev\zabbix_sender.dll : fatal error LNK1120: 14 unresolved externals
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\bin\HostX86\x86\link.exe"' : return code '0x460'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\bin\HostX86\x86\nmake.EXE"' : return code '0x2'
Stop.

Hello Mark,

yes you forgotten step 5.: change line 52 in file Makefile_sender_dll (remove word "win32" from that line)

• From: ..\..\..\src\zabbix_sender\win32\zabbix_sender.o
• To: ..\..\..\src\zabbix_sender\zabbix_sender.o

But it is not a big problem for you, because you have already successfully compiled zabbix_agentd.exe, zabbix_sender.exe, because Makefile compiles binaries in this order: zabbix_agentd, zabbix_sender, zabbix_sender_dll, zabbix_get. Compilation process stopped at step zabbix_sender_dll, so you don't have zabbix_sender_dll and zabbix_get. Zabbix_sender_dll is not very important, it's only a dll for development purposes, you don't need it.

So you have 3 options:

• Either fix Makefile_sender_dll file as described above (or step 5.), and run command again (so it will compile all zabbix components)
• Or you can run compilation only for necessary components in one step (then you can skip step fix Makefile_sender_dll). For example to compile only agent, sender and get in one step you can add this parameter to the end of nmake command (/f Makefile agent sender get)
  • For 32-bit:
    • nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib" PCREINCDIR=c:\pcre-8.41-Win32\output\include PCRELIBDIR=c:\pcre-8.41-Win32\output\lib /f Makefile agent sender get
  • For 64-bit:
    • nmake CPU=AMD64 TLS=openssl TLSINCDIR="C:\OpenSSL-Win64\include" TLSLIBDIR="C:\OpenSSL-Win64\lib" PCREINCDIR=c:\pcre-8.41-Win64\output\include PCRELIBDIR=c:\pcre-8.41-Win64\output\lib /f Makefile agent sender get
• Or if you want compile only one component at once, use instruction in step 16.:
  • For example to compile only agent, add /f Makefile_agent to the end of nmake command

Hope this helps

sh0thub, thank you, so much!!

FYI, the reason Zabbix is not providing binaries with SSL support is due to licensing/legal issues. Unless some smart legal person tells them how to resolve those, I think we'll be building our own binaries for the foreseeable future. They confirm that here Zabbix Issue 13371 Documenting Build.

You have provided a great service to everyone by creating the documentation and your helpful tips. I did make a suggestion on 13371 on how this could be further improved, but you have really made it as easy as it can be. Much appreciated!

Mark

Hi Mark,

if it is a licensing/legal issues, that blocks the release for a Zabbix Agent with TLS on Windows you should have a look to [wolfSSL|https://www.wolfssl.com/.]
It's licensed with GPLv2 like Zabbix so there should be no problems with the license and it is available for Windows.

Hope this helps to get a official binary in the future.

Thomas

MarkD, besides monitoring RAM > 4 GB, 64-bit agent can be useful when monitoring files > 4 GB.

dimir, thanks, that is interesting.

My understanding of 32 vs 64 in general is that 64 bit is only needed to allocate more than 4GB of RAM. For MS Office, almost everyone uses 32 bit. To open a spreadsheet > 4GB you'd need the 64 bit version but that would be a very unusual spreadsheet.

Can you be more specific on the limitations of the 32 bit Agent? Would the 32 bit Agent be able to tell me that a file is 5GB in size? What kind of monitoring would it not be able to do?

Thanks!

Mark

<dimir> I might be wrong, according to the note here
https://www.zabbix.com/documentation/3.4/manual/concepts/agent
a 32-bit agent should be working the same way as 64-bit.

Mark, meta-comment - you can use [~dimir]

richlv thanks much. That's much easier!

sh0thub I must be doing something wrong. For the last few days I have been playing with Zabbix unencrypted. Now that I have that working, I am trying to use PSK using the stuff I built with your help.

When I try to start the Windows service on my Win7-32 test sytsem with PSK enabled, it does not start.

I try to run it from the command line and it complains that it was compiled without TLS Support.

C:\zabbix>zabbix_agentd -c c:\zabbix\zabbix_agentd.win.conf
zabbix_agentd [1756]: "TLSConnect" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
zabbix_agentd [1756]: "TLSAccept" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
zabbix_agentd [1756]: "TLSPSKIdentity" configuration parameter cannot be used: Zabbix agent was compiled without TLS support
zabbix_agentd [1756]: "TLSPSKFile" configuration parameter cannot be used: Zabbix agent was compiled without TLS support

I do have the SSL DLLs in the Zabbix Agent folder:

 Directory of C:\zabbix

07/11/2018  01:03 PM    <DIR>          .
07/11/2018  01:03 PM    <DIR>          ..
07/04/2018  06:10 PM    <DIR>          conf.d
03/27/2018  08:45 AM         2,094,592 libcrypto-1_1.dll
03/27/2018  08:45 AM           375,808 libssl-1_1.dll
03/27/2018  08:45 AM           970,912 msvcr120.dll
07/11/2018  12:48 PM    <DIR>          openssl
07/04/2018  06:12 PM    <DIR>          scripts
06/04/2018  04:40 AM           513,024 zabbix_agentd.exe
07/11/2018  12:53 PM             2,487 zabbix_agentd.log
07/11/2018  12:50 PM                66 zabbix_agentd.psk
07/11/2018  12:54 PM            10,031 zabbix_agentd.win.conf
06/04/2018  04:40 AM           121,856 zabbix_get.exe
06/04/2018  04:40 AM           163,840 zabbix_sender.exe

When building, the only thing I know I did differently  from your instructions was that I copied the c:\OpenSSL-Win32 and c:\OpenSSL-Win64 from another machine rather than doing the OpenSSL installation directly on the dev machine. Could that be the problem?

Thanks much!

Mark

Hello MarkD

you probably by mistake only copied wrong files without TLS support (from offical source tar.gz file I guess), because your exe files are too small. For example zabbix_agentd.exe should have cca. 670kB and yours only have 513kB.

How to verify TLS support:

1. For Zabbix agent: You should see TLS support YES in zabbix_agentd.log log file:

**** Enabled features ****
IPv6 support:          YES
TLS support:           YES
**************************

 2. For zabbix_get and zabbix_sender: Run from command line and check if the output print some options starting with --tls-*

Hello palivoda

i think that that easiest way will be probably build agent using some cloud service, for example AppVeyor (https://www.appveyor.com/) which is free for open-source projects, check this.

Thanks sh0thub, in the log, TLS support: NO and zabbix_sender command line doesn't show anything about TLS, so there's no doubt I am missing it.

What's weird is that there is that I only see one set of source here: Zabbix 3.4 Sources i.e. I don't see TLS source and non-TLS source. I used 3.4.10 and there is now a 3.4.11. Maybe I messed up somehow in extracting the .tar.gz. I'll try that again and report back.

Hello MarkD, you probably miss some information. There are only one zabbix source file tar.gz (zabbix-VERSION.tar.gz), which already contains precompiled zabbix agent binaries for windows in directories bin/win32 and bin/win64, BUT WITHOUT TLS support. So you have to use my howto compile steps to compile your own binaries with TLS support. After successful own compilation, original binaries will be rewrited by new compiled. You probably compiled own binaries with TLS support, but by accident copied and use original binaries from official source tar.gz file. Hope this helps.

Thanks!

I went back to the Win 10 Dev Machine and copied the SSL DLLs into the Bin\Win64 and Bin\Win32 folders and ran zabbix_sender.exe from each.

The Win64 one shows the TLS stuff but the Win32 one doesn't. Could I have done something else wrong with the build? Do you see TLS options on your Win32 zabbix_sender.exe?

Hello MarkD

1. if you compiled 64-bit agent and want also 32-bit agent, you need to compile it once again using my instructions (use steps for 32-bit).
2. if you try to compile both version (32-bit and 64-bit) from same extracted directory:
   • either extract zabbix source files again to another directory
   • or before compilation second one, you have to clean compilation state with this command: Use same parameters as compilation in step 15. and add parameter clean to the end of command

So if you first compile 64-bit agent, and after that 32-bit (using x86 Native Tools Command Prompt of course), before compilation 32-bit clean compilation state first using command:

nmake CPU=i386 TLS=openssl TLSINCDIR="C:\OpenSSL-Win32\include" TLSLIBDIR="C:\OpenSSL-Win32\lib" PCREINCDIR=c:\pcre-8.41-Win32\output\include PCRELIBDIR=c:\pcre-8.41-Win32\output\lib clean

and after that run compilation of 32-bit agent again

And yes I see TLS options correctly also for Win32 binaries.

sh0thub, much, much thanks for  your patience and help!!

I have everything working now, I think

FYI, I also found that the following fix is needed to get zabbix_get.exe to compile with TLS

Change line in Makefile_sender_dll file
    From: ..\..\..\src\zabbix_sender\win32\zabbix_sender.o
    To: ..\..\..\src\zabbix_sender\zabbix_sender.o

Hello @sh0thub

When using the 32-bit agent that I've compiled myself (also tested the others attached here) on an 32bit Windows server 2003 sp2

I get the below error, the agents work fine on all our other non 2003 servers.

C:\Program Files\test>zabbix_agentd.exe
Access is denied.

When i use the client provided without TLS support it works fine.. but i want TLS  

Any ideas what could cause this?

Yes i know server 2003 is old but i have to deal with it...

Thanks!

Hi @ll,

I ran in some issues with sh0thub howto as i tried to create the latest 3.0.22 x64 agent with tls support.

Perhaps someone with a correct enviroment could be so nice an create the x64 agent and upload it here

That would be really great.
Otherwise I have to invest more time to crack the nut and retry everything.

Any new infos if the 4.0 agent will have TLS support on board by default?

Best regards ...

Sebastian

an official package will be the best solution. So far there are no comprehensible reasons that speak against it.

Everybody that would like to have Zabbix agent installer for Windows, please vote here:

https://support.zabbix.com/browse/ZBXNEXT-2473

This particular issue is about different thing.

Hello egnirra

the problem with running agents on Windows 2003 is probably due to compilation with Windows 10 SDK, that doesn't support Windows 2003. I think, that you have to compile it using older windows version and SDK (Windows 7 for example).
 

Agents published for 4.0 version - https://www.zabbix.com/download_agents

thank you!

(1) I get the following error after downloading from a website and it should be fixed:

Link on how to build statically
https://wiki.openssl.org/index.php/Compilation_and_Installation#Windows

ensure you start afresh and notably without linkable products from a previous 32bit compile (as 32 and 64 bits compiling still share common directories) with the command: nmake -f ms\ntdll.mak clean for the DLL target and nmake -f ms\nt.mak clean for static libraries.

<viktors.tjarve> RESOLVED in r85924.

andris CLOSED

Finally! Thanks! It works great

For those that have the libcrypto missing, just install https://slproweb.com/download/Win64OpenSSL-1_1_1.exe (or Win32 for those requiring it) and choose "The windows system directory".

OK, so now we have official Zabbix Agent packages supporting SSL but not coming with the necessary libraries themselves?

I see an issue here with users trying the agent and getting an error. I also see a huge issue in having to install another package that dumps around 1000 files sized 200Megs in total to the disk just to be able to use the "lightweight" Zabbix agent. At least in the environment where I am working right now this is a problem.

Is it enought to copy the dll file mentioned in the error message above to the agent's /bin directory on all installs? Or do we really need to install the whole package? Why not delivering the agent as a working package including the needed libs? For someone like me who did not follow this whole discussion message-by-message this is rather confusing.

We work on version of agents compiled with static links. 

please read the last posts of this thread.

This is exactly what I did

We have resolved issue with building Zabbix agent for Windows and now OpenSSL libraries will be compiled in statically. I have added binary files here for 4.0.0 Zabbix agent for Windows with OpenSSL. They have been tested by Zabbix team on several different Windows machines and everything is working. Since it's clear that there is great interest about latest pre-compiled Zabbix agents for different platforms especially Windows agents with encryption we are putting effort into automation of official releases with every new release of Zabbix stable version.

I ask if the members of our community could test binary files of 4.0.0 I've added and let us know if you find anything we might have missed.

[^zabbix_agents-4.0.0-win-amd64-openssl.zip] 

[^zabbix_agents-4.0.0-win-i386-openssl.zip]

How to compile OpenSSL from sources on MS Windows 10 (64-bit)

1. For compiling OpenSSL you will need on Windows machine:

• C compiler (I used VS 2017 RC),
• NASM (https://www.nasm.us/),
• Perl (I used Strawberry Perl from http://strawberryperl.com ),
• Perl module Text::Template
  (cpan Text::Template).

2. Get OpenSSL sources from https://www.openssl.org/. I used OpenSSL 1.1.1.
3. Unpack OpenSSL sources, for example, in E:\openssl-1.1.1.
Open commandline window "x64 Native Tools Command Prompt for VS 2017 RC".
Go to OpenSSL source directory, e.g. E:\openssl-1.1.1.
Check that NASM can be found:

e:\openssl-1.1.1> nasm --version
NASM version 2.13.01 compiled on May  1 2017

4. Configure OpenSSL, for example:

e:\openssl-1.1.1> perl E:\openssl-1.1.1\Configure VC-WIN64A no-shared no-capieng no-srp no-gost no-dgram no-dtls1-method no-dtls1_2-method  --api=1.1.0 --prefix=C:\OpenSSL-Win64-111-static --openssldir=C:\OpenSSL-Win64-111-static

Note the option 'no-shared'. It turns out that if 'no-shared ' is used then the OpenSSL static libraries libcrypto.lib and libssl.lib will be 'self-sufficient' and resulting Zabbix binaries will include OpenSSL in themselves, no need for external OpenSSL DLLs. Advantage: Zabbix binaries can be copied to other Windows machines without OpenSSL libraries. Disadvantage: when a new OpenSSL bugfix version is released, Zabbix agent needs to recompiled and reinstalled.

If 'no-shared ' is not used, then the static libraries libcrypto.lib and libssl.lib will be using OpenSSL DLLs at runtime. Advantage: when a new OpenSSL bugfix version is released, probably you can upgrade only OpenSSL DLLs, without recompiling Zabbix agent. Disadvantage: copying Zabbix agent to other machine requires copying OpenSSL DLLs, too.

5. Compile OpenSSL, run tests, install:

e:\openssl-1.1.1> nmake
e:\openssl-1.1.1> nmake test
...
All tests successful.
Files=152, Tests=1152, 501 wallclock secs ( 0.67 usr +  0.61 sys =  1.28 CPU)
Result: PASS
e:\openssl-1.1.1> nmake install_sw

"install_sw" installs only software components (i.e. libraries, header files, but no documentation). If you want everything, use "nmake install".

<viktors.tjarve> To configure OpenSSL for Zabbix agent use on Windows XP/Server 2003 (32-bit in this case):

e:\openssl-1.1.1> perl E:\openssl-1.1.1\Configure VC-WIN32 no-shared no-capieng no-srp no-gost no-dgram no-dtls1-method no-dtls1_2-method  --api=1.1.0 --prefix=C:\OpenSSL-Win32-111-static --openssldir=C:\OpenSSL-Win32-111-static LDFLAGS="/nologo /debug /SUBSYSTEM:CONSOLE,5.01" CPPFLAGS="-D\"_WIN32_WINNT=0x0501\""

How to compile Zabbix 3.0 with OpenSSL from sources on MS Windows 10 (64-bit)

Previous comment described OpenSSL compilation. Now - Zabbix compilation.
Support for OpenSSL 1.1.1 has been added very recently, in 3.0.23, some other fixes - in 3.0.24rc1.

1. On a Linux machine check out source from SVN:

$ svn co svn://svn.zabbix.com/tags/3.0.24rc1
$ cd 3.0.24rc1/
$ ./bootstrap.sh
$ ./configure --enable-agent --enable-ipv6 --prefix=`pwd`
$ make dbschema
$ make dist

2. Copy and unpack archive, e,g. zabbix-3.0.24rc1.tar.gz, to Windows machine.
3. Let's assume that sources are in e:\zabbix-3.0.24rc1. Open commandline window "x64 Native Tools Command Prompt for VS 2017 RC". Go to e:\3.0.24rc1\build\win32\project.
4. Compile zabbix_get, sender and agent:

E:\ zabbix-3.0.24rc1\build\win32\project> nmake /K -f Makefile_get TLS=openssl TLSINCDIR="C:\OpenSSL-Win64-111-static\include" TLSLIBDIR="C:\OpenSSL-Win64-111-static\lib"
E:\ zabbix-3.0.24rc1\build\win32\project> nmake /K -f Makefile_sender TLS=openssl TLSINCDIR="C:\OpenSSL-Win64-111-static\include" TLSLIBDIR="C:\OpenSSL-Win64-111-static\lib"
E:\ zabbix-3.0.24rc1\build\win32\project> nmake /K -f Makefile_agent TLS=openssl TLSINCDIR="C:\OpenSSL-Win64-111-static\include" TLSLIBDIR="C:\OpenSSL-Win64-111-static\lib"

5. New binaries are located in e:\zabbix-3.0.24rc1\bin\win64. Since OpenSSL was compiled with "no-shared" option, Zabbix binaries contain OpenSSL within themselves and can be copied to other machines without OpenSSL.

By the way, OpenSSL linking exception is being added to README file as

Exception for linking with OpenSSL

In addition, as a special exception, we give permission to link the code
of Zabbix with the OpenSSL project's "OpenSSL" library (or with modified
versions of it that use the same license as the "OpenSSL" library), and
distribute the linked executables.

Not yet released, but available in svn://svn.zabbix.com/branches/dev/DEV-921.

Great news!

Question:

My server is running 3.4. Would it be helpful/can I run the 4.0 Agents against the 3.4 server?

Issue with compilation errors on Windows platform with static OpenSSL libraries is fixed.
Released in:

• 3.0.24rc1 r86198
• 3.4.15rc1 r86199
• 4.0.2rc1 r86200
• 4.2.0alpha1 r86201

Fixed issues with running agents on Windows XP/Server 2003 and added zip files with compiled agents (v4.0.1) here.
It would be highly appreciated if someone would have time to try these builds and leave feedback here. Thanks.
zabbix_agent-4.0.1-win-i386-openssl.zip (Removed)
zabbix_agent-4.0.1-win-i386.zip (Removed)
zabbix_agent-4.0.1-win-amd64-openssl.zip (Removed)
zabbix_agent-4.0.1-win-amd64.zip (Removed)

Current latest:
zabbix_agent-4.0.2rc1-win-amd64.zip
zabbix_agent-4.0.2rc1-win-amd64-openssl.zip
zabbix_agent-4.0.2rc1-win-i386.zip
zabbix_agent-4.0.2rc1-win-i386-openssl.zip

Tested [^zabbix_agent-4.0.1-win-i386.zip] on 32-bit Windows 2003 server that had issues starting 4.0.0 downloaded from zabbix.com and it appears to be starting and sending information to server as expected. Thank you!

Tested [^zabbix_agent-4.0.1-win-amd64-openssl.zip] on 64-bit Windows 2012 R2 server that had issues starting 4.0.0 downloaded from zabbix.com and it appears to be starting and sending information to server as expected.

Thanks!

Fixed issues with running agent on Windows 32bit XP and Server 2003.

Released in:

• 3.0.24rc1 r86716
• 4.0.2rc1 r86717
• 4.2.0alpha1 r86719

zabbix_agent-4.0.1-win-amd64-openssl.zip fails for me on Windows Server 2012 R2 Standard:

9124:20181113:150835.313 active check configuration update from [172.16.0.26:10051] started to fail (TCP successful, cannot establish TLS to [[172.16.0.26]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error")

And the server says:

10232:20181113:152535.535 Message from 172.16.0.7 is missing header. Message ignored.

Hi Raphael,

Tested zabbix_agentd.exe from zabbix_agent-4.0.1-win-amd64-openssl.zip on Windows Server 2012 R2. I've setup active agent with PSK and it worked as expected.

Have you had different Zabbix agent with OpenSSL working on the same platform with the same configuration before?

Freshly compiled 4.0.2rc1 with fixed issues for XP-64bit and Server 2003 64bit:
zabbix_agent-4.0.2rc1-win-i386-openssl.zip
zabbix_agent-4.0.2rc1-win-i386.zip
zabbix_agent-4.0.2rc1-win-amd64-openssl.zip
zabbix_agent-4.0.2rc1-win-amd64.zip

Viktor,

to clarify: it seems to work (both active and passive checks), but I do get the error/info messages mentioned above.

To my knowledge this is the very first time a Zabbix agent was installed on the system. How can I check if that is the case (and in how far does it matter?).

Edit: I just deployed the agent on a second Windows server (same OS) that most definitely never had a Zabbix agent running before and it's showing the exact same symptoms.

Which version of Zabbix server are you using n3rd

$ zabbix_server --version | head -n 2
zabbix_server (Zabbix) 4.0.1
Revision 86073 29 October 2018, compilation time: Oct 29 2018 16:45:05

The agent is 4.0.2rc1 from above (also tried 4.0.1)

Sounds like ZBX-14856 but looks like you are up to date, maybe fix is missing on windows

Raphael,

when a log entry like the one you added to your comment is received nothing should be working. There simply is no connection. If something seem to be working then what's working is something else. I suspect a misconfiguration at one or the other end.

Viktor,

it most definitely works (partially). The ZBX-indicator for the host is green and I can retrieve data from the Windows machine:

$ zabbix_get --tls-connect psk --tls-psk-identity SRV-AD2 --tls-psk-file /home/pigulla/.tlspsk --host 172.16.0.6 --key agent.ping
1

On the other end, though, sending data fails:

C:\Program Files\zabbix-agent>zabbix_sender.exe -vv --zabbix-server 172.16.0.26 --tls-connect psk --tls-psk-identity SRV-AD2 --tls-psk-file C:\Progra~1\zabbix-agent\zabbix_agent.psk --host SRV-AD2 --key agent.ping --value 1

zabbix_sender.exe [5376]: DEBUG: OpenSSL library (version OpenSSL 1.1.1  11 Sep 2018) initialized
zabbix_sender.exe [5376]: DEBUG: In zbx_tls_init_child()
zabbix_sender.exe [5376]: DEBUG: zbx_tls_init_child() loaded PSK identity "SRV-AD2"
zabbix_sender.exe [5376]: DEBUG: zbx_tls_init_child() loaded PSK from file "C:\Progra~1\zabbix-agent\zabbix_agent.psk"
zabbix_sender.exe [5376]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
zabbix_sender.exe [5376]: DEBUG: End of zbx_tls_init_child()
zabbix_sender.exe [6120]: DEBUG: In zbx_tls_connect(): psk_identity:"SRV-AD2"
zabbix_sender.exe [6120]: DEBUG: zbx_psk_client_cb() requested PSK identity "SRV-AD2"
zabbix_sender.exe [6120]: DEBUG: End of zbx_tls_connect():FAIL error:'SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error"'
zabbix_sender.exe [6120]: DEBUG: send value error: TCP successful, cannot establish TLS to [[172.16.0.26]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error"
Sending failed.

So, "zabbix_get" works from server machine. Can you try "zabbix_get" from Windows machine - to agent running on Windows machine ?

Sure!

C:\Program Files\zabbix-agent>zabbix_get.exe --host 172.16.0.6 --tls-connect psk --tls-psk-identity SRV-AD2 --tls-psk-file C:\Progra~1\zabbix-agent\zabbix_agent.psk --key agent.ping

zabbix_get.exe [5512]: Get value error: TCP successful, cannot establish TLS to [[172.16.0.6]:10050]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error"

Hmm... I could  not reproduce it on Win 10 Pro with binaries from zabbix_agent-4.0.1-win-amd64-openssl.zip.
Do you have the same version and revision in 1st line in zabbix_agentd.log:

   3460:20181115:110436.039 Starting Zabbix Agent [Windows 10 virtual host OpenSSL]. Zabbix 4.0.1 (revision 86073).

Yes, I use that exact version and revision. I'm also having the exact same issue with a Windows 7 client, so I suppose it has nothing to do with the Windows environment, if that's of any help.

Hi All,

help my what happened with agentd or am I doing something non correct.

Hi Bahodir,
Try the binary files added some comments above:

• zabbix_agent-4.0.2rc1-win-amd64.zip
• zabbix_agent-4.0.2rc1-win-amd64-openssl.zip
• zabbix_agent-4.0.2rc1-win-i386.zip
• zabbix_agent-4.0.2rc1-win-i386-openssl.zip

Andris,

is there anything we can do on our end to help resolve the issue? It persists on multiple Windows machines and we even re-installed the Zabbix server (for other reasons)

Hi, Raphael!

All examples you described illustrate how it looks from the client side (zabbix_get, zabix_sender, zabbix_agent connecting to server to get list of active checks).
Can you show a piece of log file from side which accepts the TLS connection ? You could set DebugLevel=4 in zabbix_agent config, restart it, then try with zabbix_get to see how the errror shows in zabbix_agent log.

Tested on Server 2016 x64 and it works great! Initially had some errors but it was purely related to missing / incorrect items in the agent config - triple-check your agent config (PSK, etc) if you are having issues; the errors are not very verbose unless you enable verbose logging

Thanks for feedback

Hey Andris,

I've cranked up the log level on both the agent and the server but I can see nothing useful. There's a lot going on so it is difficult for me to discern what is relevant and what isn't.

On the agent side there's nothing new to be seen:

  8228:20181123:154627.305 In refresh_active_checks() host:'172.16.0.26' port:10051
  8228:20181123:154627.306 In zbx_tls_connect(): psk_identity:"SRV-AD2"
  8228:20181123:154627.306 zbx_psk_client_cb() requested PSK identity "SRV-AD2"
  8228:20181123:154627.307 End of zbx_tls_connect():FAIL error:'SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error"'
  8228:20181123:154627.308 active check configuration update from [172.16.0.26:10051] started to fail (TCP successful, cannot establish TLS to [[172.16.0.26]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error")
  8228:20181123:154627.308 End of refresh_active_checks():FAIL

Not much luck on the server side either. All I can find is this message already mentioned:

Message from 172.16.0.6 is missing header. Message ignored.

What's weird is is that the SSL connection seems to work in one direction (passive checks are all good) but not in the other. Is there any way this could be a firewall-related issue?

Hi, Raphael!

Your example shows client side story of "zbx_tls_connect". There must be correponding "zbx_tls_accept" entries in the other end logs. Don't you have any zbx_tls_accept in log files (DebugLevel=4 must be set) ?

Is it a firewall distorting TLS traffic ? I dont' know, you have to experiment. OpenSSL 1.1.1 attempts to use TLS 1.3, but tries to make it like TLS 1.2 to not upset firewalls.

Message from 172.16.0.6 is missing header. Message ignored.

seems like something is wrong. You can investigate is there a firewall and talk to network team how it is configured. There were cases that firewalls break unfamiliar TLS.

Hey Andris,

I've set the debug level on the server side to 4, but all I see is that "missing header" message. There is definitely no zbx_tls_accept.

You can find the log here (the message was sent from the client at around 14:45:06).

I've also temporarily disabled the firewall on the server but nothing changed

Thanks!

I will try to check with versions you are using.

I checked with Zabbix server 4.0.1 with OpenSSL 1.1.0f (running on Linux) and  Zabbix agent binary from zabbix_agent-4.0.2rc1-win-amd64-openssl.zip (running on Windows 10 Pro) - it works as expected, both passive and active checks:

 24495:20181126:183130.605 OpenSSL library (version OpenSSL 1.1.0f  25 May 2017) initialized
 24495:20181126:183130.606 zbx_tls_init_child() PSK ciphersuites: ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
...
 24503:20181126:183136.629 In get_value_agent() host:'Windows 10 virtual host OpenSSL' addr:'xxx.xxx.xxx.xxx' key:'system.cpu.load[percpu,avg15]' conn:'TLS with PSK'
 24503:20181126:183136.629 In zbx_tls_connect(): psk_identity:"PSK Windows 10 virtual host"
 24503:20181126:183136.641 zbx_psk_client_cb() requested PSK identity "PSK Windows 10 virtual host"
 24503:20181126:183136.644 End of zbx_tls_connect():SUCCEED (established TLSv1.2 ECDHE-PSK-AES128-CBC-SHA256)
 24503:20181126:183136.644 Sending [system.cpu.load[percpu,avg15]]
 24503:20181126:183136.655 get value from agent result: '0.023041'
 24503:20181126:183136.655 End of get_value_agent():SUCCEED
...
 24508:20181126:183155.244 In zbx_tls_accept()
 24508:20181126:183155.246 zbx_psk_server_cb() requested PSK identity "PSK Windows 10 virtual host"
 24508:20181126:183155.247 End of zbx_tls_accept():SUCCEED (established TLSv1.2 ECDHE-PSK-AES128-CBC-SHA256)
 24508:20181126:183155.247 __zbx_zbx_setproctitle() title:'trapper #2 [processing data]'
 24508:20181126:183155.251 trapper got '{"request":"active checks","host":"Windows 10 virtual host OpenSSL","port":10073}'
 24508:20181126:183155.251 In send_list_of_active_checks_json()

So, I still cannot reproduce it.

Huh. Weird. Is there anything else I can try?

What is the size of your PSK (how many characters) on Windows agent ?

My guess is that your PSK ir longer that 64 characters.

If so, please try with 64 characters long PSK.

I know that documentation https://www.zabbix.com/documentation/4.0/manual/encryption/using_pre_shared_keys tells that with OpenSSL up to 512 hexadecimal digits can be used in PSK value, but OpenSSL 1.1.1 source code suggests that keys longer than 64 characters currently won't work.

Yes, that did it. Thank you, your help is much appreciated!

Hi, Raphael!

Successfully reproduced!

Max length for PSK value is 128 hex digits. Then it works

Make PSK value 130 hex digits and - error as you described

(4) [D] Documented in PSK limits and troubleshooting (for 3.0, but also should be documented for 3.4, 4.0, 4.2):

https://www.zabbix.com/documentation/3.0/manual/encryption/using_pre_shared_keys#size_limits
https://www.zabbix.com/documentation/3.0/manual/encryption/troubleshooting/psk_problems#too_long_psk_value_used_with_openssl_111

martins-v Replicated to 3.4, 4.0, 4.2. RESOLVED

andris Thanks! CLOSED

Thanks, Raphael, for finding it

Are the files mentionned by @viktors tjarve the official one to use ?

• zabbix_agent-4.0.2rc1-win-amd64-openssl.zip

Why aren't those packages on https://www.zabbix.com/download_agents ? Non-RC versions I mean.