[ZBXNEXT-3395] make client authentication optional in TLS communication with certificates Created: 2016 Aug 18  Updated: 2022 Jun 14

Status: Open
Project: ZABBIX FEATURE REQUESTS
Component/s: Agent (G), Proxy (P), Server (S)
Affects Version/s: 3.0.3
Fix Version/s: None

Type: Change Request Priority: Major
Reporter: MarcoP Assignee: Unassigned
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Agent on Windows 2008-2012 and Linux RHEL6, server Linux RHEL6

Attachments: JPEG File proposal.jpg    
Issue Links:
Causes

 Description   

Dear team,

we are working with agent-server communication encryption

  • two-way encryption works fine ?
  • we would like to have one-way encryption (asymmetric) so when client initiate communication with server (while keeping it unencrypted the other way around).
    The problem we have with one way encryption is that, even if only TLSConnect is equal to "cert", so encryption should be used only for agent outbound connections, the agent will not start without an agent certificate as well/key.

I.e. agent configuration file:
Hostname=XXXXXX
LogFile=D:\zabbix\Zabbix_agentd.log
DebugLevel=4
TLSConnect=cert
TLSAccept=unencrypted
TLSCAFile=D:\eon\zabbix\zabbix_ca_file
EnableRemoteCommands=1
LogRemoteCommands=1
Server=YYYY
ServerActive=YYYY
Include=D:\zabbix\zabbix_agentd.userparams.conf

The agent on Windows will not start.

The same happens with the Linux agent ? but providing a clearer error:
Starting Zabbix agent: zabbix_agentd [16788]: ERROR: parameter "TLSConnect" value requires "TLSCertFile", but it is not defined

Is this expected, i.e. by design Zabbix is using not only encryption but also client authentication over TLS (so the server will ask the client, in this case the agent to provide its certificate to authenticate it? Otherwise, if this is not the intended design, can it be classified as an issue/bug?

Thanks in advance for your help
Cheers
Marco

 Comments   
Comment by MarcoP [ 2016 Aug 19 ]

Hi,
after checking this, I found it is by design (so not a Bug), so it would rather be classified as feature

◾ Zabbix uses mutual authentication.
Each side verifies its peer and may refuse connection.
For example, Zabbix server connecting to agent can close connection immediately if agent's certificate is invalid. And vice versa - Zabbix agent accepting a connection from server can close connection if server is not trusted by agent.

Comment by Aleksandrs Saveljevs [ 2016 Aug 22 ]

Yes, Zabbix daemons perform mutual authentication and this is by design. How would you then formulate the feature request?

Comment by MarcoP [ 2016 Aug 22 ]

Hi Aleksandrs,
thanks for your support.
I would ask if it would be possible to select on the endpoint accepting TLS connection, either Agent or Server if client Authentication would be required or not (this selection might be done already in the current web interface).

So in this use case there would be two options:
the "cert" option (which would mean that when accepting connection it should be encrypted using a certificate but not with Client Authentication)
the "cert +CA" (certificate + client authentication): also CA will need to be enforced (which is exactly the current design).

The encryption without CA would be useful to avoid a certificate to be installed and configured on the Agent, i.e. scenario in which only the connection from the agent to the server needs to be encrypted (active). So only the server would have its certificate and would be authenticated on the agent side, while the agent will not send any certificate to the server.

PS: attached web GUI proposal of how this might be activated.
Thanks
Best Regards
Marco

Comment by Aleksandrs Saveljevs [ 2016 Aug 22 ]

So, basically, it is about not being required to configure certificates for Zabbix agents, just like with HTTPS, where only a Web server is required to present a certificate, but not clients?

Comment by MarcoP [ 2016 Aug 22 ]

hi, yes, you got the point.
I think it would be great to have both options that could be chosen from the admin, really like HTTPS, if the server you are handshaking with is requiring client authentication, the browser will prompt you to select a certificate, if not, only the server certificate will be validated and the client will just get the encryption.

Thanks
Marco

Comment by Aleksandrs Saveljevs [ 2016 Aug 22 ]

Thank you! I have updated the issue title and moving it to ZBXNEXT project.

Note that if it is desired to only configure a certificate on Zabbix server, but not on the agents, then it will prevent passive checks from working. With passive checks, Zabbix server connects to Zabbix agents, so Zabbix server acts as a TLS client and Zabbix agents act as TLS servers. If Zabbix agents (TLS servers) do not have certificates, then it will probably not work, because TLS servers are more or less required to have certificates (see also http://security.stackexchange.com/questions/38589/can-https-server-configured-without-a-server-certificate).

If you just need a cheaper and easier encryption scheme, you can use PSK in the meanwhile.

Generated at Wed Jan 22 04:01:05 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.