Ad Widget

Collapse

Server & Active Proxy Force TLS 1.3 PSK?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • SANDMAN
    Junior Member
    • Jun 2023
    • 14
    #1

    Server & Active Proxy Force TLS 1.3 PSK?

    Hi,

    New to Zabbix in last week.

    I'm trying to force server + Active proxy to use TLS 1.3 PSK.
    Reviewing my Fortigate firewall it's using TLS 1.2
    I've reviewed and believe I have correct config? https://www.zabbix.com/documentation...ual/encryption

    Using docker

    zabbix/zabbix-server-pgsql:alpine-6.4-latest

    .env_srv
    ZBX_TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256


    zabbix/zabbix-proxy-sqlite3:alpine-6.4-latest

    .env_prx
    ZBX_TLSCONNECT=psk
    ZBX_TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256


    Any ideas what I'm missing to get TLS 1.3 + CHACHA20_POLY1305_SHA256 ?
    Tags: None
    • SANDMAN
      Junior Member
      • Jun 2023
      • 14
      #2
      Review this more but still cannot get TLS 1.3 working.

      the .env_srv variable - ZBX_TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256 - does not appear to be updating /etc/zabbix/zabbix_config.conf

      Upon container start
      zabbix-proxy-zabbix-proxy-sqlite3-1 | ** Updating '/etc/zabbix/zabbix_proxy.conf' parameter "TLSCipherPSK": ''...removed
      zabbix-proxy-zabbix-proxy-sqlite3-1 | ** Updating '/etc/zabbix/zabbix_proxy.conf' parameter "TLSCipherPSK13": ''...removed

      And reviewing the config its not set. However the other variables do work: ZBX_SERVER_HOST= , ZBX_TLSCONNECT=psk, ZBX_TLSPSKIDENTITY= , ZBX_TLSPSKFILE=​

      So then I tried creating own proxy config and doing a bind mount to overwrite config to force ZBX_TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256 on both server + proxy configs. Still TLS 1.2.

      Test from docker proxy to docker host linux agent. tcp 10050 open.
      zabbix_get -s 192.168.20.5 -p 10050 --tls-connect psk --tls-psk-identity psk002 --tls-psk-file /tmp/psk.psk --tls-cipher13 TLS_CHACHA20_POLY1305_SHA256 -k "system.cpu.load[all,avg1]"
      zabbix_get [195]: Get value error: cannot connect to [[192.168.20.5]:10050]: [111] Connection refused​

      Now I'm going to replicate containers config and give ubuntu image a go. Alpine is difficult. I know the ubuntu has openssl OpenSSL 3.0.2
      I'd really like to get some TLS 1.3 proxies deployed.
      Any help greatly appreciated.
      Last edited by SANDMAN; 26-06-2023, 22:22.

        Comment

        • SANDMAN
          Junior Member
          • Jun 2023
          • 14
          #3
          Dumb Fortigate and dumb me.
          After seeing a zabbix_sender test from proxy to server be successful with --tls-cipher13 TLS_CHACHA20_POLY1305_SHA256 I reviewed Fortigate and still only showed TLS 1.2 inbound.

          The server is behind Opnsense --> Fortigate (transparent mode) . Opnsense app detect with "zen armor" is poor so I review traffic on Fortigate.
          I then ran a packet capture on Opensense and reviewed with wireshark. Yup - proxy sending TLS 1.3.
          Lots of TLS 1.3 detected traffic flowing through Fortigate so through me off. Must not recognize PSK and needs cert to detect as TLS 1.3.

            Comment

            • Markku
              Senior Member
              Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
              • Sep 2018
              • 1781
              #4
              Originally posted by SANDMAN
              I reviewed Fortigate and still only showed TLS 1.2 inbound.
              In the TLS hello message the version field is still 1.2 (0x0303) in TLS 1.3, the actual 1.3 is indicated in the "supported_versions" TLS extension field. Maybe Fortigate is just showing the version field and does not parse the full information?

              Markku

                Comment

                Previous template Next
                Working...