Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-16750

Broken validation of peer certificate issuer/subject in TLS connect: check always succeeds

XMLWordPrintable

    • Sprint 56 (Sep 2019), Sprint 55 (Aug 2019), Sprint 57 (Oct 2019)
    • 1

      Steps to reproduce:

      1. Configure zabbix_agentd.conf with TLS using certificate, for example:
        • TLSConnect=cert
        • TLSAccept=cert
        • TLSCAFile=/path/zabbix_ca_file
        • TLSServerCertIssuer=CN=Signing CA,OU=development,O=Zabbix,DC=zabbix,DC=com
        • TLSServerCertSubject=CN=proxy,OU=development,O=Zabbix,DC=zabbix,DC=com
        • TLSCertFile=/path/zabbix_agentd.crt
        • TLSKeyFile=/path/zabbix_agentd.key
      2. Configure host in frontend with TLS, Certificate.
      3. Run server and agent.

      Result:
      Agent does not notice that server certificate has the issuer and subject other than required by agent configuration (validation is broken).

      Expected:
      Agent refuses to talk to server which has other certificate issuer/subject than configured in zabbix_agentd.conf.

            andris Andris Mednis
            andris Andris Mednis
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: