Sidebar

Zabbix Summit 2022
Register for Zabbix Summit 2022

1 连接类型或权限问题

Server配置为使用 PSK 连接到agent,但agent仅接受未加密的连接

在server或proxy日志中有如下显示 (对于 GnuTLS 3.3.16)

Get value from agent failed: zbx_tls_connect(): gnutls_handshake() failed: \
           -110 The TLS connection was non-properly terminated.

在server或proxy日志中有如下显示 (对于 OpenSSL 1.0.2c)

Get value from agent failed: TCP connection successful, cannot establish TLS to [[127.0.0.1]:10050]: \
           Connection closed by peer. Check allowed connection types and access rights

一端使用证书连接,但另一端仅接受 PSK,反之亦然

在任意日志当中有如下显示 (对于 GnuTLS):

failed to accept an incoming connection: from 127.0.0.1: zbx_tls_accept(): gnutls_handshake() failed:\
           -21 Could not negotiate a supported cipher suite.

在任意日志当中有如下显示 (对于 OpenSSL 1.0.2c):

failed to accept an incoming connection: from 127.0.0.1: TLS handshake returned error code 1:\
           file .\ssl\s3_srvr.c line 1411: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:\
           TLS write fatal alert "handshake failure"

尝试使用使用 TLS 支持编译的 Zabbix sender将数据发送到在没有 TLS 的情况下编译的 Zabbix Server/proxy

在发起连接方的日志中有如下显示:

Linux:

...In zbx_tls_init_child()
       ...OpenSSL library (version OpenSSL 1.1.1  11 Sep 2018) initialized
       ...
       ...In zbx_tls_connect(): psk_identity:"PSK test sender"
       ...End of zbx_tls_connect():FAIL error:'connection closed by peer'
       ...send value error: TCP successful, cannot establish TLS to [[localhost]:10051]: connection closed by peer

Windows:

...OpenSSL library (version OpenSSL 1.1.1a  20 Nov 2018) initialized
       ...
       ...In zbx_tls_connect(): psk_identity:"PSK test sender"
       ...zbx_psk_client_cb() requested PSK identity "PSK test sender"
       ...End of zbx_tls_connect():FAIL error:'SSL_connect() I/O error: [0x00000000] The operation completed successfully.'
       ...send value error: TCP successful, cannot establish TLS to [[192.168.1.2]:10051]: SSL_connect() I/O error: [0x00000000] The operation completed successfully.
在接受连接端的日志中有如下显示:
...failed to accept an incoming connection: from 127.0.0.1: support for TLS was not compiled in

一端使用 PSK 连接,但另一端使用 LibreSSL 或已编译为无加密支持

LibreSSL 不支持 PSK。

在发起连接端的日志中有如下显示:

...TCP successful, cannot establish TLS to [[192.168.1.2]:10050]: SSL_connect() I/O error: [0] Success

在接受连接端的日志中:

...failed to accept an incoming connection: from 192.168.1.2: support for PSK was not compiled in

在Zabbix前端有如下显示:

Get value from agent failed: TCP successful, cannot establish TLS to [[192.168.1.2]:10050]: SSL_connect() I/O error: [0] Success

一端使用 PSK 连接,但另一端使用禁用 PSK 支持的 OpenSSL

在发起连接端的日志中有如下显示:

...TCP successful, cannot establish TLS to [[192.168.1.2]:10050]: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/record/rec_layer_s3.c line 1536: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure: SSL alert number 40: TLS read fatal alert "handshake failure"

在接受连接端的日志中有如下显示:

...failed to accept an incoming connection: from 192.168.1.2: TLS handshake set result code to 1: file ssl/statem/statem_srvr.c line 1422: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher: TLS write fatal alert "handshake failure"