Hello to All,
I have an issue with setting up PSK-based encryption between two Ubuntu 22.04 servers with openssl 3.0.2.
The error is:
Versions of zabbix server and zabbix agent are:
Openssl version on both machines is:
When I execute command from zabbix server to another Ubuntu 22.04:
This is what I get:
However if I execute the same command to server with older Ubuntu version (20.04,18.04,16.04), I'm getting this:
I tried to added this to zabbix-server config but it did not changed anything:
Does anyone knows what might be the issue here?
Thank You in advance
I have an issue with setting up PSK-based encryption between two Ubuntu 22.04 servers with openssl 3.0.2.
The error is:
2198:20220630:083740.155 failed to accept an incoming connection: from 10.100.10.103: TLS handshake set result code to 1: file ../ssl/t1_lib.c line 3220 func tls_choose_sigalg: error:0A000076:SSL routines::no suitable signature algorithm: TLS write fatal alert "handshake failure"
2197:20220630:083740.155 failed to accept an incoming connection: from 10.100.10.103: unencrypted connections are not allowed
2197:20220630:083740.155 failed to accept an incoming connection: from 10.100.10.103: unencrypted connections are not allowed
zabbix_agentd (daemon) (Zabbix) 6.0.6
Revision 3f7597e3ea3 27 June 2022, compilation time: Jun 27 2022 08:04:13
Copyright (C) 2022 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 3.0.2 15 Mar 2022
Running with OpenSSL 3.0.2 15 Mar 2022
Revision 3f7597e3ea3 27 June 2022, compilation time: Jun 27 2022 08:04:13
Copyright (C) 2022 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 3.0.2 15 Mar 2022
Running with OpenSSL 3.0.2 15 Mar 2022
zabbix_server (Zabbix) 6.0.6
Revision 3f7597e3ea3 27 June 2022, compilation time: Jun 27 2022 08:04:13
Copyright (C) 2022 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 3.0.2 15 Mar 2022
Running with OpenSSL 3.0.2 15 Mar 2022
Revision 3f7597e3ea3 27 June 2022, compilation time: Jun 27 2022 08:04:13
Copyright (C) 2022 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 3.0.2 15 Mar 2022
Running with OpenSSL 3.0.2 15 Mar 2022
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
openssl s_client -connect some.server.com:10050 -psk_identity 'zabbix-example' -psk '<PSK-String>'
CONNECTED(00000003)
801BD3BD757F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 443 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
801BD3BD757F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 443 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 351 bytes and written 965 bytes
Verification: OK
---
Reused, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_CHACHA20_POLY1305_SHA256
Session-ID: C9198F1534C9E0696212AF5934164BAE7092033DE61816FB8 E5DC0CA0ADFEC2
Session-ID-ctx:
Resumption PSK: C9252DC6A9873D0679EFA8C27F58A5AF63C4E40986ED941B 33766FE3F7CF6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 304 (seconds)
TLS session ticket:
0000 - c3 74 0b 84 14 9d e6 12-53 0a 37 73 e9 8b 8e 0a .t......S.7s....
0010 - e2 b4 3b 66 81 e9 93 ff-3c 7e 21 80 ec 27 cb 51 ..;f....<~!..'.Q
Start Time: 1656571936
Timeout : 304 (sec)
Verify return code: 1 (unspecified certificate verification error)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 351 bytes and written 965 bytes
Verification: OK
---
Reused, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_CHACHA20_POLY1305_SHA256
Session-ID: C9198F1534C9E0696212AF5934164BAE7092033DE61816FB8 E5DC0CA0ADFEC2
Session-ID-ctx:
Resumption PSK: C9252DC6A9873D0679EFA8C27F58A5AF63C4E40986ED941B 33766FE3F7CF6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 304 (seconds)
TLS session ticket:
0000 - c3 74 0b 84 14 9d e6 12-53 0a 37 73 e9 8b 8e 0a .t......S.7s....
0010 - e2 b4 3b 66 81 e9 93 ff-3c 7e 21 80 ec 27 cb 51 ..;f....<~!..'.Q
Start Time: 1656571936
Timeout : 304 (sec)
Verify return code: 1 (unspecified certificate verification error)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256:TLS_AE S_128_GCM_SHA256
Does anyone knows what might be the issue here?
Thank You in advance
Comment