Ad Widget

Collapse

setting TLSCAfile/Cert/Key on server, breaks Ubuntu18 PSK-support with TLS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    setting TLSCAfile/Cert/Key on server, breaks Ubuntu18 PSK-support with TLS

    Hi,

    as we want to test cert-based authentication, i simply added

    TLSCAFile=/etc/zabbix/zabbix_ca_file
    TLSCertFile=/etc/zabbix/zabbix_server.crt
    TLSKeyFile=/etc/zabbix/zabbix_server.key

    to server config and restarted server.

    Additionally i set for a SINGLE host in zabbix-Dashboard,
    Connections from host

    [x] PSK
    [x] Certificate

    We only have active-checks.

    After adjusting the hosts configuration to also use cert, everything is fine and the first host sends data.

    NOW, there is another Ubuntu 18 machine, that did not have checked Certificate in Dashboard, nor has the agent_config been touched so far but right after we adjusted above server config, client does not send data anymore and just logs:

    Code:
    4411:20200701:142814.601 SSL_shutdown() with OUR.ZABBIX.SERVER.HOST set result code to 1: file ../ssl/ssl_lib.c line 2072: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    Server logs:
    Code:
    1952:20200701:143615.854 failed to accept an incoming connection: from HOSTS_IP_ADDRESS: TLS handshake set result code to 1: file ../ssl/statem/statem_srvr.c line 3672: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate: TLS write fatal alert "unknown"
    Client is ubuntu 18.04.4 - latest patch level
    Zabbix agent from official repo 4.0.22
    Compiled with OpenSSL 1.1.0g 2 Nov 2017
    Running with OpenSSL 1.1.1 11 Sep 2018

    Server is latest 5.x version from official repo.


    Client config is:
    Code:
    AllowRoot=0
    BufferSend=5
    BufferSize=100
    DebugLevel=3
    EnableRemoteCommands=1
    HostnameItem=system.run["hostname -f"]
    Include=/etc/zabbix/zabbix_agentd.d
    ListenIP=127.0.0.1
    ListenPort=10050
    LoadModulePath=/usr/lib/modules
    LogFileSize=0
    LogFile=/var/log/zabbix/zabbix_agentd.log
    LogRemoteCommands=1
    LogType=file
    MaxLinesPerSecond=100
    PidFile=/var/run/zabbix/zabbix_agentd.pid
    RefreshActiveChecks=120
    Server=127.0.0.1
    ServerActive=OUR.ZABBIX.SERVER:993
    StartAgents=3
    Timeout=3
    TLSAccept=psk
    TLSConnect=psk
    TLSPSKFile=/etc/zabbix/key.psk
    TLSPSKIdentity=Key1
    UnsafeUserParameters=0
    User=zabbix
    If i remove (...) from server config, client sends data again:

    Code:
    TLSCAFile=/etc/zabbix/zabbix_ca_file
    TLSCertFile=/etc/zabbix/zabbix_server.crt
    TLSKeyFile=/etc/zabbix/zabbix_server.key
    It looks like, the client is talking to the server and want to use PSK, but they negotiate something, that does not make any sense during TLS-handshake and end up in trouble.

    Tcpdump attached. (Yes, server listens on port 993 for testing)

    Click image for larger version

Name:	Bildschirmfoto vom 2020-07-01 14-49-07.png
Views:	63
Size:	120.0 KB
ID:	404381

    Any help is greatly appreciated.

    #2
    Further observations:

    Issue is with all ubuntu 18 systems we have. Client offers during TLS-handshake:

    Click image for larger version

Name:	Bildschirmfoto vom 2020-07-02 10-06-06.png
Views:	45
Size:	58.7 KB
ID:	404429

    Comment


      #3
      Same issue with latest 5.X client.

      Comment

      Announcement

      Collapse
      No announcement yet.
      Working...
      X