Hi,
as we want to test cert-based authentication, i simply added
TLSCAFile=/etc/zabbix/zabbix_ca_file
TLSCertFile=/etc/zabbix/zabbix_server.crt
TLSKeyFile=/etc/zabbix/zabbix_server.key
to server config and restarted server.
Additionally i set for a SINGLE host in zabbix-Dashboard,
Connections from host
[x] PSK
[x] Certificate
We only have active-checks.
After adjusting the hosts configuration to also use cert, everything is fine and the first host sends data.
NOW, there is another Ubuntu 18 machine, that did not have checked Certificate in Dashboard, nor has the agent_config been touched so far but right after we adjusted above server config, client does not send data anymore and just logs:
Server logs:
Client is ubuntu 18.04.4 - latest patch level
Zabbix agent from official repo 4.0.22
Compiled with OpenSSL 1.1.0g 2 Nov 2017
Running with OpenSSL 1.1.1 11 Sep 2018
Server is latest 5.x version from official repo.
Client config is:
If i remove (...) from server config, client sends data again:
It looks like, the client is talking to the server and want to use PSK, but they negotiate something, that does not make any sense during TLS-handshake and end up in trouble.
Tcpdump attached. (Yes, server listens on port 993 for testing)
Any help is greatly appreciated.
as we want to test cert-based authentication, i simply added
TLSCAFile=/etc/zabbix/zabbix_ca_file
TLSCertFile=/etc/zabbix/zabbix_server.crt
TLSKeyFile=/etc/zabbix/zabbix_server.key
to server config and restarted server.
Additionally i set for a SINGLE host in zabbix-Dashboard,
Connections from host
[x] PSK
[x] Certificate
We only have active-checks.
After adjusting the hosts configuration to also use cert, everything is fine and the first host sends data.
NOW, there is another Ubuntu 18 machine, that did not have checked Certificate in Dashboard, nor has the agent_config been touched so far but right after we adjusted above server config, client does not send data anymore and just logs:
Code:
4411:20200701:142814.601 SSL_shutdown() with OUR.ZABBIX.SERVER.HOST set result code to 1: file ../ssl/ssl_lib.c line 2072: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Code:
1952:20200701:143615.854 failed to accept an incoming connection: from HOSTS_IP_ADDRESS: TLS handshake set result code to 1: file ../ssl/statem/statem_srvr.c line 3672: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate: TLS write fatal alert "unknown"
Zabbix agent from official repo 4.0.22
Compiled with OpenSSL 1.1.0g 2 Nov 2017
Running with OpenSSL 1.1.1 11 Sep 2018
Server is latest 5.x version from official repo.
Client config is:
Code:
AllowRoot=0 BufferSend=5 BufferSize=100 DebugLevel=3 EnableRemoteCommands=1 HostnameItem=system.run["hostname -f"] Include=/etc/zabbix/zabbix_agentd.d ListenIP=127.0.0.1 ListenPort=10050 LoadModulePath=/usr/lib/modules LogFileSize=0 LogFile=/var/log/zabbix/zabbix_agentd.log LogRemoteCommands=1 LogType=file MaxLinesPerSecond=100 PidFile=/var/run/zabbix/zabbix_agentd.pid RefreshActiveChecks=120 Server=127.0.0.1 ServerActive=OUR.ZABBIX.SERVER:993 StartAgents=3 Timeout=3 TLSAccept=psk TLSConnect=psk TLSPSKFile=/etc/zabbix/key.psk TLSPSKIdentity=Key1 UnsafeUserParameters=0 User=zabbix
Code:
TLSCAFile=/etc/zabbix/zabbix_ca_file TLSCertFile=/etc/zabbix/zabbix_server.crt TLSKeyFile=/etc/zabbix/zabbix_server.key
Tcpdump attached. (Yes, server listens on port 993 for testing)
Any help is greatly appreciated.
Comment