Hey Everyone,
I was testing PSK on one host for incomming connections - I was testing it with zabbix_sender and it worked out - great! So I tried to do encryption with certificates - also worked out
Nice.
Switched host back to accept PSK, and run the same command...bum- not working:
sudo zabbix_sender -z 127.0.0.1 -s SERVERNAME -k fridge.beers -o 1 --tls-connect psk --tls-psk-identity secret --tls-psk-file zabbix_SERVERNAME_psk -vv
zabbix_sender [3833]: DEBUG: In zbx_tls_init_child()
zabbix_sender [3833]: DEBUG: OpenSSL library (version OpenSSL 1.1.1 11 Sep 2018) initialized
zabbix_sender [3833]: DEBUG: zbx_tls_init_child() loaded PSK identity "secret"
zabbix_sender [3833]: DEBUG: zbx_tls_init_child() loaded PSK from file "zabbix_SERVERNAME_psk"
zabbix_sender [3833]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
zabbix_sender [3833]: DEBUG: End of zbx_tls_init_child()
zabbix_sender [3834]: DEBUG: In zbx_tls_connect(): psk_identity:"secret"
zabbix_sender [3834]: DEBUG: zbx_psk_client_cb() requested PSK identity "secret"
zabbix_sender [3834]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_AES_256_GCM_SHA384)
zabbix_sender [3834]: Warning: SSL_shutdown() with 127.0.0.1 set result code to 1: file ../ssl/ssl_lib.c line 2072: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
zabbix_sender [3834]: DEBUG: send value error: TLS read set result code to 1: file ../ssl/record/rec_layer_s3.c line 1528: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required: SSL alert number 116: TLS read fatal alert "unknown"
Sending failed.
So after that I've removed entries from zabbix_server.conf regarding TLS:
#TLSCAFile=/etc/zabbix/zabbix_server_certs/zabbix_ca.crt
#TLSCertFile=/etc/zabbix/zabbix_server_certs/zabbix_server.crt
#TLSKeyFile=/etc/zabbix/zabbix_server_certs/zabbix_server.key
And it started to work again with PSK. So my question is - is it normal that after adding this entries PSK will not work anymore?
Cheers,
J
I was testing PSK on one host for incomming connections - I was testing it with zabbix_sender and it worked out - great! So I tried to do encryption with certificates - also worked out
Nice.Switched host back to accept PSK, and run the same command...bum- not working:
sudo zabbix_sender -z 127.0.0.1 -s SERVERNAME -k fridge.beers -o 1 --tls-connect psk --tls-psk-identity secret --tls-psk-file zabbix_SERVERNAME_psk -vv
zabbix_sender [3833]: DEBUG: In zbx_tls_init_child()
zabbix_sender [3833]: DEBUG: OpenSSL library (version OpenSSL 1.1.1 11 Sep 2018) initialized
zabbix_sender [3833]: DEBUG: zbx_tls_init_child() loaded PSK identity "secret"
zabbix_sender [3833]: DEBUG: zbx_tls_init_child() loaded PSK from file "zabbix_SERVERNAME_psk"
zabbix_sender [3833]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
zabbix_sender [3833]: DEBUG: End of zbx_tls_init_child()
zabbix_sender [3834]: DEBUG: In zbx_tls_connect(): psk_identity:"secret"
zabbix_sender [3834]: DEBUG: zbx_psk_client_cb() requested PSK identity "secret"
zabbix_sender [3834]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_AES_256_GCM_SHA384)
zabbix_sender [3834]: Warning: SSL_shutdown() with 127.0.0.1 set result code to 1: file ../ssl/ssl_lib.c line 2072: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
zabbix_sender [3834]: DEBUG: send value error: TLS read set result code to 1: file ../ssl/record/rec_layer_s3.c line 1528: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required: SSL alert number 116: TLS read fatal alert "unknown"
Sending failed.
So after that I've removed entries from zabbix_server.conf regarding TLS:
#TLSCAFile=/etc/zabbix/zabbix_server_certs/zabbix_ca.crt
#TLSCertFile=/etc/zabbix/zabbix_server_certs/zabbix_server.crt
#TLSKeyFile=/etc/zabbix/zabbix_server_certs/zabbix_server.key
And it started to work again with PSK. So my question is - is it normal that after adding this entries PSK will not work anymore?
Cheers,
J