Ad Widget

Collapse

Agent active TLS connections

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • SIS
    Junior Member
    • Jan 2017
    • 4
    #1

    Agent active TLS connections

    Hi all,

    I'm trying to set up agents with TLS certificate encryption. The agents will be active-mode only. They should reach out to the configured server, get presented with the SSL certificate, verify that it is trusted, and if so establish a secure connection...however trying to configure the agents to do this gives me some errors.

    The relevant configuration looks like this:
    Code:
    TLSConnect=cert
# TLSAccept=unencrypted
TLSCAFile=/etc/zabbix/root.crt
    All other TLS parameters are commented out. The result is:
    Code:
    ERROR: parameter "TLSCAFile" is defined, but "TLSCertFile" is not defined
    It's not reasonable or scalable to issue a client SSL cert for every agent, it seems like I can't configure active TLS (only care about the server cert) without setting up client certs as well. Can someone clarify?

    I've tried different combinations of TLSCertFile, TLSServerCertSubject, TLSServerCertIssuer, and TLSCAFile, the errors always imply that I MUST configure a client certificate. The potential security issue here is that the Agent will trust any server regardless of the SSL certificate presented. Very easy to poison DNS and perform a MITM attack to intercept agent communication, potentially allowing remote command execution (e.g. if EnableRemoteCommands=1).
    Tags: None
    • SIS
      Junior Member
      • Jan 2017
      • 4
      #2
      Bump........

        Comment

        • SIS
          Junior Member
          • Jan 2017
          • 4
          #3
          Bump.......

            Comment

            • andris
              Zabbix developer
              • Feb 2012
              • 228
              #4
              It's not reasonable or scalable to issue a client SSL cert for every agent, it seems like I can't configure active TLS (only care about the server cert) without setting up client certs as well. Can someone clarify?
              Yes, even active-only agent should have its certificate - to allow Zabbix server to verify that the agent can be trusted.

              The potential security issue here is that the Agent will trust any server regardless of the SSL certificate presented. Very easy to poison DNS and perform a MITM attack to intercept agent communication, potentially allowing remote command execution (e.g. if EnableRemoteCommands=1).
              TLSServerCertIssuer and TLSServerCertSubject parameters in zabbix_agentd.conf file are provided to restrict what server certificate is allowed.

                Comment

                • SIS
                  Junior Member
                  • Jan 2017
                  • 4
                  #5
                  Originally posted by andris
                  Yes, even active-only agent should have its certificate - to allow Zabbix server to verify that the agent can be trusted.
                  In that case it should be a client certificate, not a server certificate.

                    Comment

                    Previous template Next
                    Working...