Ad Widget

**andris** · 03-08-2016, 20:37

In 3.0 auto-registration is only plain-text, it does not go together with TLS.
This is by design - do not trust an unknown host which comes even with a valid certificate or PSK key.
Instead you configure encryption in frontend precisely for that particular host: what type of encryption must be used by server when connecting to that host, what type of encryption must be accepted whe this host connects to server, what certificate Issuer and Subject is approved for the host's certificate or what PSK identity is approved for this host.
All these things are checked by server (or proxy) when it connects to a host or accepts a connection from a host.

Andris

**guzzijason** · 03-08-2016, 23:53

That was my assumption; thank you for confirming, Andris.

__Jason

**puchrojo** · 13-10-2016, 17:35

I don't understand why it is better to trust a host that don't have any certificate that one that has one. I think it will be better to have the same PSK for all the host that have no PSK/cert at all. So I think it should be the admin that decide it. So I wish that you could define the PSK with the autoregistration rule.

Regards,
Isaac

Originally posted by andris

In 3.0 auto-registration is only plain-text, it does not go together with TLS.
This is by design - do not trust an unknown host which comes even with a valid certificate or PSK key.
Instead you configure encryption in frontend precisely for that particular host: what type of encryption must be used by server when connecting to that host, what type of encryption must be accepted whe this host connects to server, what certificate Issuer and Subject is approved for the host's certificate or what PSK identity is approved for this host.
All these things are checked by server (or proxy) when it connects to a host or accepts a connection from a host.

Andris

**andris** · 14-10-2016, 09:31

Originally posted by puchrojo

I don't understand why it is better to trust a host that don't have any certificate that one that has one. I think it will be better to have the same PSK for all the host that have no PSK/cert at all. So I think it should be the admin that decide it. So I wish that you could define the PSK with the autoregistration rule.

Regards,
Isaac

Hi, Isaac !

You can register it as a new feature request. I agree that "admin should decide".

Andris

**puchrojo** · 14-10-2016, 10:59

feature request reported

Hi Andris,
Thanks for the answer, this is the reported feature request:

Loading...

https://support.zabbix.com/browse/ZBXNEXT-3497

Regards,
Isaac

**andris** · 14-10-2016, 11:37

Thanks, Isaac !

One well-known community member already voted for it

Andris

**jlakomiec** · 04-08-2017, 17:36

I've been looking for exactly the same aswer and eventually decided to enable TLS-PSK encryption by automating the whole process using Zabbix API and a self-written python script. Step by step process how to do that is available here: http://www.zabbixbook.com/2017/08/01...sk-encryption/

**ZaBeast** · 17-03-2020, 17:01

Little update! Since version 4.4, Zabbix supports auto-registration and TLS encryption. If anyone is interested, I have written detailed instructions for configuring auto-registration with encryption for Windows and Linux servers.

**yurtesen** · 18-11-2020, 11:44

ZaBeast why do you use `unencrypted` at all in `TLSConnect` and `TLSAccept` ?

Does this mean if a host is using `psk`, it can't use `cert` for encryption? Becase we set

TLSConnect=psk
TLSAccept=psk

for authentication?

Ad Widget

Agent auto-registration and TLS encryption - possible?

Agent auto-registration and TLS encryption - possible?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment