[ZBXNEXT-6427] Support for strong encryption protocols for SNMPv3 Created: 2021 Jan 07  Updated: 2024 Jul 08  Resolved: 2021 Feb 14

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F), Proxy (P), Server (S)
Affects Version/s: 5.0.7, 5.2.3
Fix Version/s: 5.4.0alpha2, 5.4 (plan)

Type: New Feature Request Priority: Critical
Reporter: Edgars Melveris Assignee: Dmitrijs Goloscapovs
Resolution: Fixed Votes: 3
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File image-2021-02-10-13-22-15-941.png     PNG File mt_host_interface_select.png     PNG File mt_interface_edit.png     PNG File mt_interface_read_only.png     PNG File mt_test_item_popup_1.png     PNG File mt_test_item_popup_2.png    
Issue Links:
Causes
causes ZBX-19708 Compilation on FreeBSD with snmp libr... Closed
causes ZBX-20358 Not able to monitor Devices with SNMP... Closed
causes ZBX-24691 Test item : Unsupported privacy proto... Closed
Duplicate
duplicates ZBX-19013 SNMPv3 Poller Strong Crypto SUpport Closed
is duplicated by ZBXNEXT-7721 Add support for strong encryption in ... Closed
Sub-task
part of ZBXNEXT-5718 Add support of AES192/256 privacy pro... Closed
Sub-Tasks:
Key
 Summary
 Type
 Status
 Assignee
ZBXNEXT-6458 Frontend changes to support for stron... Specification change (Sub-task) Closed Mārtiņš Tālbergs  
Team: Team A
Sprint: Sprint 72 (Jan 2021), Sprint 73 (Feb 2021)
Story Points: 2

 Description   

It's not possible to use strong encryption algorithms like SHA256 for SNMPv3 monitoring, although the underlying net-snmp package supports those from version 5.8 at least.
Currently only "usmHMACSHA1AuthProtocol" is used.
It's probably best to introduce all encryption and authentication options supported by net-snmp package, but some of these are only available since version 5.8 of net-snmp.

 Comments   
Comment by Oleksii Zagorskyi [ 2021 Jan 07 ]

Highly related to ZBXNEXT-5718 (asks for AES192/256)

Comment by Michael Veksler [ 2021 Feb 09 ]

One solution to enable strong authentication in net-snmp library:

  • Recompilation net-snmp libary with support strong encryption protocols (tested with Ubuntu 16.04) 
    ./configure -q --prefix=$(pwd)/dist --enable-blumenthal-aes --disable-maintainer-mode --disable-dependency-tracking --enable-ucd-snmp-compatibility --enable-ipv6 --with-libwrap --with-openssl --without-dmalloc --without-efence --without-rsaref
make -s install
  • compilation zabbix server with new net-snmp library 
    ./configure -q --with-mysql --with-net-snmp=../../../net-snmp-5.8/dist/bin/net-snmp-config --with-openipmi --with-libcurl --with-libxml2 --with-unixodbc --enable-server --enable-proxy --enable-agent --enable-ipv6 --with-openssl --prefix=$(pwd)/dist
make -s install

     
    As a result, we will get zabbix server with statically linked net-snmp library.

If with-net-snmp has no  argument, then zabbix server will dynamically linked  with net-snmp library.

Comment by Dmitrijs Goloscapovs [ 2021 Feb 11 ]

Available in versions:

Generated at Sat Jun 21 07:13:35 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.