Ad Widget

**andris** · 20-10-2017, 10:12

You can check, maybe there is some network device (firewall?) between Windows machine and Zabbix server which allows TCP, but does not like SSL connections.
Also DebugLevel=4 (or even 5) and Wireshark/tcpdump can help.

**Gijs007** · 20-10-2017, 15:57

Thanks, the debug information was more helpful.
I saw the following message:

Code:

7084:20171020:151342.223 failed to accept an incoming connection: from 92.222.x.x: unencrypted connections are not allowed

Which made me suspect the Zabbix server wasn't compiled with openssl support.
After installing the libssl-dev library and recompiling with

Code:

--with-openssl

and running make install again, Zabbix is working correctly.

I did notice something strange, Wireshark detects normal TCP packets instead of SSL/TLS. Does Zabbix only compress the data within the TCP packets, instead of using a normal SSL/TLS connection?

**andris** · 20-10-2017, 16:24

You can check host settings in Zabbix frontend - Configuration -> Hosts -> (your host) -> Encryption tab.
What are "Connections to host" and "Connections from host" settings ? Are they both "PSK" ?

**Gijs007** · 20-10-2017, 16:38

Originally posted by andris

You can check host settings in Zabbix frontend - Configuration -> Hosts -> (your host) -> Encryption tab.
What are "Connections to host" and "Connections from host" settings ? Are they both "PSK" ?

Yes, both are set as PSK.

**andris** · 20-10-2017, 16:48

Then DebugLevel=4 on server AND agent should give some hint what goes out and what comes in.

**Gijs007** · 20-10-2017, 16:50

I think it's working, as Zabbix is receiving data from the agent.
However as I mentioned earlier Wireshark doesn't recognize the traffic as SSL/TLS.

**andris** · 20-10-2017, 16:53

Nothing special with Zabbix TLS, Wireshark should recognize it.

**andris** · 20-10-2017, 16:54

.. as TLS 1.2

**Gijs007** · 20-10-2017, 21:29

Wireshark is only detecting protocol TCP over here. This doesn't make sense as the encryption is enforced both ways, on the agent and server.

I can't recognize any of the data the agent is transmitting, except for the PSK identifier.
I'm uncertain if the data is encrypted or not.

**andris** · 21-10-2017, 00:27

Wireshark is only detecting protocol TCP over here. This doesn't make sense as the encryption is enforced both ways, on the agent and server.

I can't recognize any of the data the agent is transmitting, except for the PSK identifier.
I'm uncertain if the data is encrypted or not.

PSK identifier in clear text is a good sign - and, yes, it goes unencrypted just to inform receiving side which PSK to use further. Zabbix server can use a different PSK and PSK identifier for each agent.

As of Wireshark - try to select SSL as protocol for decoding captured traffic (Edit->Preferences->Protocols->SSL - something like that?). You should see TLS 1.2 protocol headers (e.g. ciphersuites selection), not decrypted Zabbix data (although you can google how to decrypt data too).

**andris** · 21-10-2017, 00:39

To investigate if data are encrypted or not you can, for example, replace encryption-enabled Zabbix agent with a combination of agent without encryption support and Stunnel and see does it work with encryption-enabled Zabbix server. For both - passive and active checks - you will need 2 Stunnel instances.
It takes time to set up, but should work.

**Gijs007** · 21-10-2017, 17:40

I managed to make Wireshark detect it as TLS 1.2 traffic.
Had to right click on the traffic > decode as and set it to SSL.

Guess Wireshark only automatically determines the protocol bases on port number (E.g. 443), instead of analysing the traffic and finding matching protocols.

Ad Widget

How to setup PSK encryption?

How to setup PSK encryption?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment