This section demonstrates how to build Zabbix Windows agent binaries from sources with or without TLS.
The following steps will help you to compile OpenSSL from sources on MS Windows 10 (64-bit).
e:\openssl-1.1.1> nasm --version NASM version 2.13.01 compiled on May 1 2017
e:\openssl-1.1.1> perl E:\openssl-1.1.1\Configure VC-WIN64A no-shared no-capieng no-srp no-gost no-dgram no-dtls1-method no-dtls1_2-method --api=1.1.0 --prefix=C:\OpenSSL-Win64-111-static --openssldir=C:\OpenSSL-Win64-111-static
Make sure to revoke write access from non-administrator users to the OpenSSL install directory (C:\OpenSSL-Win64-111-static
). Otherwise, Zabbix agent will load SSL settings from a path that can be modified by unprivileged users, resulting in a potential security vulnerability.
- Note the option 'no-shared': if 'no-shared' is used then the
OpenSSL static libraries libcrypto.lib and libssl.lib will be
'self-sufficient' and resulting Zabbix binaries will include
OpenSSL in themselves, no need for external OpenSSL DLLs.
Advantage: Zabbix binaries can be copied to other Windows
machines without OpenSSL libraries. Disadvantage: when a new
OpenSSL bugfix version is released, Zabbix agent needs to
recompiled and reinstalled.
- If 'no-shared' is not used, then the static libraries
libcrypto.lib and libssl.lib will be using OpenSSL DLLs at
runtime. Advantage: when a new OpenSSL bugfix version is
released, probably you can upgrade only OpenSSL DLLs, without
recompiling Zabbix agent. Disadvantage: copying Zabbix agent to
another machine requires copying OpenSSL DLLs, too.
e:\openssl-1.1.1> nmake e:\openssl-1.1.1> nmake test ... All tests successful. Files=152, Tests=1152, 501 wallclock secs ( 0.67 usr + 0.61 sys = 1.28 CPU) Result: PASS e:\openssl-1.1.1> nmake install_sw
'install_sw' installs only software components (i.e. libraries, header files, but no documentation). If you want everything, use "nmake install".E:\pcre2-10.39\build> nmake install
The following steps will help you to compile Zabbix from sources on MS Windows 10 (64-bit). When compiling Zabbix with/without TLS support the only significant difference is in step 4.
$ git clone https://git.zabbix.com/scm/zbx/zabbix.git $ cd zabbix $ ./bootstrap.sh $ ./configure --enable-agent --enable-ipv6 --prefix=`pwd` $ make dbschema $ make dist
E:\zabbix-4.4.0\build\win32\project> nmake /K PCREINCDIR=E:\pcre2-10.39-install\include PCRELIBDIR=E:\pcre2-10.39-install\lib
E:\zabbix-4.4.0\build\win32\project> nmake /K -f Makefile_get TLS=openssl TLSINCDIR=C:\OpenSSL-Win64-111-static\include TLSLIBDIR=C:\OpenSSL-Win64-111-static\lib PCREINCDIR=E:\pcre2-10.39-install\include PCRELIBDIR=E:\pcre2-10.39-install\lib E:\zabbix-4.4.0\build\win32\project> nmake /K -f Makefile_sender TLS=openssl TLSINCDIR="C:\OpenSSL-Win64-111-static\include TLSLIBDIR="C:\OpenSSL-Win64-111-static\lib" PCREINCDIR=E:\pcre2-10.39-install\include PCRELIBDIR=E:\pcre2-10.39-install\lib E:\zabbix-4.4.0\build\win32\project> nmake /K -f Makefile_agent TLS=openssl TLSINCDIR=C:\OpenSSL-Win64-111-static\include TLSLIBDIR=C:\OpenSSL-Win64-111-static\lib PCREINCDIR=E:\pcre2-10.39-install\include PCRELIBDIR=E:\pcre2-10.39-install\lib
The process is similar to compiling with OpenSSL, but you need to make small changes in files located in the build\win32\project
directory:
/DHAVE_OPENSSL_WITH_PSK
, i.e. find:CFLAGS = $(CFLAGS) /DHAVE_OPENSSL /DHAVE_OPENSSL_WITH_PSK
and replace it with
CFLAGS = $(CFLAGS) /DHAVE_OPENSSL
/NODEFAULTLIB:LIBCMT
i.e. find:/MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DYNAMICBASE:NO /PDB:$(TARGETDIR)\$(TARGETNAME).pdb
and replace it with
/MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DYNAMICBASE:NO /PDB:$(TARGETDIR)\$(TARGETNAME).pdb /NODEFAULTLIB:LIBCMT