Ad Widget

**Atsushi** · 27-05-2016, 03:59

If you want to use the function of encryption, you must have the following conditions.

- mbed TLS (formerly PolarSSL)(version 1.3.9 and later 1.3.x). mbed TLS 2.x is not currently supported, it is not a drop-in replacement for 1.3 branch, Zabbix will not compile with mbed TLS 2.x.
- GnuTLS (from version 3.1.18)
- OpenSSL (from version 1.0.1)

16. Encryption

https://www.zabbix.com/documentation/3.0/manual/encryption#compiling_zabbix_with_encryption_support

Default package version for CentOS 5 is below.

- GnuTLS 1.4.1
- OpenSSL 0.9.8e

What library did you select?
And, Please check selected library version.

**sorciq** · 27-05-2016, 14:02

Hi Atsushi,

I tried use GnuTLS and OpenSSL. I need compile the agent with static librabry, but if --enable-static the ./configure script could not find openssl or gnutls.

I also tried: LDFLAGS="-L/path/libssl.a -L/path/libcrypto.a" but ./configure shows TLS: no

It is odd.

regards,
Simon

**Atsushi** · 27-05-2016, 14:25

What version of libraries are using?
Standard library version for CentOS 5 is too old.
The new version of the library is required.

If you install a new version of the library, did you also specify the header file include path?

Please check logs when configured.

**sorciq** · 27-05-2016, 16:05

I compiled the newest version as possible: OpenSSL 1.0.1t
Yes, I also specified include file.

The reason why I have to compile with static option is that I cannot use new OpenSSL in XenServer.

p.

**Atsushi** · 30-05-2016, 08:21

I tried to build Zabbix 3.0.3 with OpenSSL 1.0.1t.

Code:

$ tar zxvf openssl-1.0.1t.tar.gz
$ cd openssl-1.0.1t
$ ./config
$ make
$ make test
# make install

OpenSSL has been installed in the directory /usr/local/ssl.

Headerfiles : /usr/local/ssl/include/
Libraries : /usr/local/ssl/lib/

Then run the configure of Zabbix.
Specify the destination directory of OpenSSL in the argument.

Code:

$ tar zxvf zabbix-3.0.3.tar.gz
$ cd zabbix-3.0.3
$ ./configure --enable-agent --with-openssl=/usr/local/ssl --enable-static

However, an error occurs.

Code:

checking for OpenSSL support... no
configure: error: OpenSSL library libssl or libcrypto not found

This is a problem that occurs in the compile check in configure.
It seems to occur when I try to a static link.

I deleted line from 10765 to 10794 on configure(Zabbix 3.0.3).

Code:

--- configure.orig      2016-05-18 22:08:43.000000000 +0900
+++ configure   2016-05-30 05:50:12.000000000 +0900
@@ -10762,37 +10762,6 @@
     am_save_ldflags="$LDFLAGS"
     am_save_libs="$LIBS"

-    CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
-    LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
-    LIBS="$LIBS $OPENSSL_LIBS"
-
-    found_openssl="no"
-
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <openssl/ssl.h>
-#include <openssl/bio.h>
-
-int
-main ()
-{
-
-       /* check that both libssl and libcrypto are available */
-       SSL_library_init();     /* a function from libssl */
-       BIO_new(BIO_s_mem());   /* a function from libcrypto */
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  found_openssl="yes"
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-
-
     CFLAGS="$am_save_cflags"
     LDFLAGS="$am_save_ldflags"
     LIBS="$am_save_libs"

By deleting the line, now configure is successful.
But, It does not confirm whether the encrypted communication can be performed.

**sorciq** · 02-06-2016, 13:51

Hi!

Now it is working! Compile, but:

I get this message in log:
5945:20160602:163630.480 failed to accept an incoming connection: from XX.XX.XX.XX TLS handshake returned error code 1: file s3_pkt.c line 494: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac: TLS write fatal alert "bad record mac"

PSK identity is checked and correct.
PSK value also.

zabbix_agentd and zabbix_server have the same version of OpenSSL.

TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=PSK 001
TLSPSKFile=/etc/zabbix_agentd/monitor_file.psk

Thank you!

Regards,
Simon

**olejak** · 22-08-2016, 15:27

Same problem

I have the same problem.

I have tried downloading OpenSSL v1.0.2h compiling it to a different dir and when I run ./configure --enable-agent --enable-static --with-openssl=<path to dir> I still get:

Code:

checking for OpenSSL support... no
configure: error: OpenSSL library libssl or libcrypto not found

I have tried editing the configure script to default search my OpenSSL 1.0.2h dir and I still get the same error.

I only get this error when i use --enable-static but I need that.

Edited add:
In my new openssl dir I have ./lib containing libssl.a libssl.so libcrypto.a libcrypto.so

All the .h files mentioned in the configure script is also in my openssl dir

**olejak** · 24-08-2016, 11:13

After some digging in the configure file I found that there is no section in there in regards to openssl and static linking.

Other modules have a section regarding static linking, eg. net-snmp, mysql, LDAP

My skills editing there files is not great but I will try, and post my findings.

**olejak** · 14-09-2016, 20:37

So I managed to static build a zabbix_agentd on CentOS 5 with OpenSSL

First I downloaded OpenSSL 1.0.2h, configured it and build it to another location on my system.

Code:

/home/user/openssl-1.0.2h# ./config --prefix=/home/user/openssl --openssldir=/home/user/openssl

Once that is done, I dowloaded zabbix-3.0.4 source to my system.

I then ran the configure script without the --enable-static flag.

Code:

/home/user/zabbix-3.0.4# ./configure --enable-agent --with-openssl=/home/user/openssl

With the resulted is this output

Code:

Configuration:

  Detected OS:           linux-gnu
  Install path:          /usr/local
  Compilation arch:      linux

  Compiler:              gcc
  Compiler flags:         -g -O2

  Library-specific flags:
    TLS:                   -I/home/user/openssl/include

  Enable server:         no

  Enable proxy:          no

  Enable agent:          yes
  Agent details:
    TLS:                   OpenSSL
    Linker flags:           -L/home/user/openssl/lib   -rdynamic  
    Libraries:              -lssl -lcrypto   -lm -ldl -lrt  -lresolv 

  Enable Java gateway:   no

  LDAP support:          no
  IPv6 support:          no

Once the configure script is done I edited the Makefile. I added some flags.

Original Makefile

Code:

CFLAGS =  -g -O2
LDFLAGS = -rdynamic 
LIBS = -lm -ldl -lrt  -lresolv

I changed them to this:

Code:

CFLAGS =  -g -O2 -I/root/Download/openssl/include
LDFLAGS = -L/root/Download/openssl/lib   -rdynamic -static
LIBS = -lssl -lcrypto -lm -ldl -lrt -lresolv

Now I ran "make" in /home/user/zabbix-3.0.4 and I build a zabbix agentd that supported OpenSSL and is static build.

Ad Widget

Zabbix 3.0.3 with TLS support / CentOS 5.x

Zabbix 3.0.3 with TLS support / CentOS 5.x

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment