Zabbix支持使用传输层安全(TLS)协议v.1.2在Zabbix server,Zabbix proxy,Zabbix agent,zabbix_sender和zabbix_get程序之间的加密通信。从Zabbix 3.0开始支持加密,支持基于证书和共享秘钥加密。
加密是可选的,可以针对各个组件进行配置(例如,一些proxies和agents可以配置为与服务器一起使用基于证书的加密,而其他可以使用共享秘钥加密,剩下的可以像以前一样继续使用未加密的通信)。
服务器(代理)可以为不同的主机使用不同的加密配置。
Zabbix守护程序使用一个监听端口进行加密和未加密的传入连接。添加加密不需要在防火墙上打开新端口。
* 在运行Zabbix前端的Web服务器和用户Web浏览器之间
* 在Zabbix前端和Zabbix服务器之间,
* Zabbix服务器(代理)和Zabbix数据库之间。
* 目前,每个加密的连接都会打开一个完整的TLS握手,不会实现会话缓存和故障单。
* 根据网络延迟,添加加密会增加检查和操作的时间。\\ 例如,如果分组延迟为100ms,则打开TCP连接并发送未加密的请求大约需要200ms。\\ 加密约1000毫秒添加建立TLS连接。\\ 可能需要增加超时,否则一些监控项和动作在agent运行远程脚本时,使用加密会失败,而不加密则成功。
* [[/manual/discovery/network_discovery|网络发现]]不支持加密。通过网络发现执行的Zabbix agent检查将是未加密的,如果Zabbix agent配置为拒绝未加密的连接,那么这种检查将不会成功。
为了支持加密Zabbix必须编译并链接到三个加密库之一:
通过指定“configure”脚本的选项来选择库:
--with-mbedtls[=DIR]
--with-gnutls[=DIR]
--with-openssl[=DIR]
例如,要使用OpenSSL配置服务器和agent代理的源,可以使用以下内容:
./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-openssl
可以使用不同的加密库(例如具有OpenSSL的服务器,具有GnuTLS的agent代理)来编译不同的Zabbix组件。
如果您计划使用共享密钥(PSK),请考虑使用PSKs在Zabbix组件中使用GnuTLS或mbed TLS库。GnuTLS和mbed TLS库支持具有Perfect Forward Secrecy的PSK密码。OpenSSL库(版本1.0.1,1.0.2c)支持PSK,但可用的PSK密码套件不提供完美转发保密。
Zabbix中的连接可以使用:
有两个重要参数用于为Zabbix组件之间的连接指定加密:
TLSConnect
TLSAccept
TLSConnect
指定要使用什么加密传出连接和可以采取3个中的一个(unencrypted,PSK,certificate)。 TLSConnect
用于Zabbix proxy的配置文件(在主动模式下,仅指定与服务器的连接)和Zabbix agentd(用于主动检查)。在的zabbix前端的TLSConnect
等效物是连接主机在字段配置→主机→<一些主机>→加密选项卡和连接代理字段中管理→代理→<一些代理>→加密选项卡。如果配置的连接加密类型失败,则不会尝试其他加密类型。
TLSAccept
指定允许进入连接的连接类型。连接类型:unencrypted,PSK,certificate。可以指定一个或多个值。 TLSAccept
用于Zabbix proxy的配置文件(在被动模式下,仅指定来自服务器的连接)和Zabbix agentd(用于被动检查)。在的zabbix前端的TLSAccept
等效物是从主机连接在字段配置→主机→<一些主机>→加密选项卡和从连接代理在字段管理→代理→<一些代理>→加密选项卡。
通常,您仅为传入加密配置一种类型的加密。但您可能希望切换加密类型,例如从加密到基于证书的最小停机时间和回滚可能性。
要实现这一点,您可以TLSAccept=unencrypted,cert在agentd配置文件中设置并重新启动Zabbix agent。
然后,您可以zabbix_get
使用证书测试与agent的连接。如果一切正常,你可以重新配置加密中的zabbix前端,agent配置→主机→<某些主机>→加密设置选项卡连接主机到“证书”。
当服务器配置缓存被更新(如果主机正在通过proxy进行监视时,proxy配置被更新),则与该agent的连接将被加密。
如果一切正常工作,您可以TLSAccept=cert在agent配置文件中设置并重新启动Zabbix agent。
现在agent将只接受加密的基于证书的连接。未加密和基于PSK的连接将被拒绝
以类似的方式,它可以在服务器和proxy上运行。如果在Zabbix前端主机配置中连接设置为“证书”,则只能从agent(主动检查)和zabbix_sender
(trapper项目)接受基于证书的加密连接。
很可能您将配置传入和传出连接使用相同的加密类型或根本不加密。但从技术上讲,可以非对称地进行配置,例如基于传入和基于PSK的出口连接的基于证书的加密。
有关概述,每个主机的加密配置将显示在Zabbix前端配置→主机右侧的代理加密列中。配置显示示例:
例 | 接到主机 允许从主机 | 接 拒绝从主机连接 | |
---|---|---|---|
未加密 未加 | 加密证书和 | 于PSK的证书 | |
加密,基于证书 基于加密证书 | 未加密和基于PSK的 | ||
加密,基于PSK的 加密PSK | 主 未加密和基于证书 | ||
加密,基于PSK的 未加密和基 | PSK的加密 以证书为基础 | ||
加密,基于证书 未加密,PS | 或基于证书的加密 - |
默认是未加密的连接。必须单独为每个主机和代理配置加密。
请参阅man-pages zabbix_get和zabbix_sender以使用加密。
在Zabbix启动期间内部配置了密码套件,并且依赖于加密库,目前它们不是用户可配置的。
按照从高到低顺序的库类型配置密码:
密码库 证书 | 码 PSK密码 | |
---|---|---|
mbed TLS (PolarSSL) 1.3.9 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA |
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA TLS-PSK-WITH-AES-128-GCM-SHA256 TLS-PSK-WITH-AES-128-CBC-SHA256 TLS-PSK-WITH-AES-128-CBC-SHA |
GnuTLS 3.1.18 | TLS_ECDHE_RSA_AES_128_GCM_SHA256 TLS_ECDHE_RSA_AES_128_CBC_SHA256 TLS_ECDHE_RSA_AES_128_CBC_SHA1 TLS_RSA_AES_128_GCM_SHA256 TLS_RSA_AES_128_CBC_SHA256 TLS_RSA_AES_128_CBC_SHA1 |
TLS_ECDHE_PSK_AES_128_CBC_SHA256 TLS_ECDHE_PSK_AES_128_CBC_SHA1 TLS_PSK_AES_128_GCM_SHA256 TLS_PSK_AES_128_CBC_SHA256 TLS_PSK_AES_128_CBC_SHA1 |
OpenSSL 1.0.2c | ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA |
PSK-AES128-CBC-SHA |
OpenSSL 1.1.0 | ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA |
ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA |
密码套件使用证书:
TLS服务器 | |||
TLS客户端 *m | ed TLS (PolarSSL)* *G | uTLS* *O | enSSL 1.0.2* |
mbed TLS (PolarSSL) | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 |
GnuTLS | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 |
OpenSSL 1.0.2 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 |
密码套件使用PSK:
TLS服务器 | |||
TLS客户端 *m | ed TLS (PolarSSL)* *G | uTLS* *O | enSSL 1.0.2* |
mbed TLS (PolarSSL) | TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 | TLS-PSK-WITH-AES-128-CBC-SHA |
GnuTLS | TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 | TLS-PSK-WITH-AES-128-CBC-SHA |
OpenSSL 1.0.2 | TLS-PSK-WITH-AES-128-CBC-SHA | TLS-PSK-WITH-AES-128-CBC-SHA | TLS-PSK-WITH-AES-128-CBC-SHA |
The built-in ciphersuite selection criteria can be overridden with user-configured ciphersuites (since Zabbix 4.0.19).
User-configured ciphersuites is a feature intended for advanced users who understand TLS ciphersuites, their security and consequences of mistakes, and who are comfortable with TLS troubleshooting.
The built-in ciphersuite selection criteria can be overridden using the following parameters:
Override scope | Parameter | Value | Description |
---|---|---|---|
Ciphersuite selection for certificates | TLSCipherCert13 | Valid OpenSSL 1.1.1 cipher strings for TLS 1.3 protocol (their values are passed to the OpenSSL function SSL_CTX_set_ciphersuites()). | Certificate-based ciphersuite selection criteria for TLS 1.3 Only OpenSSL 1.1.1 or newer. |
TLSCipherCert | Valid OpenSSL cipher strings for TLS 1.2 or valid GnuTLS priority strings. Their values are passed to the SSL_CTX_set_cipher_list() or gnutls_priority_init() functions, respectively. | Certificate-based ciphersuite selection criteria for TLS 1.2/1.3 (GnuTLS), TLS 1.2 (OpenSSL) | |
Ciphersuite selection for PSK | TLSCipherPSK13 | Valid OpenSSL 1.1.1 cipher strings for TLS 1.3 protocol (their values are passed to the OpenSSL function SSL_CTX_set_ciphersuites()). | PSK-based ciphersuite selection criteria for TLS 1.3 Only OpenSSL 1.1.1 or newer. |
TLSCipherPSK | Valid OpenSSL cipher strings for TLS 1.2 or valid GnuTLS priority strings. Their values are passed to the SSL_CTX_set_cipher_list() or gnutls_priority_init() functions, respectively. | PSK-based ciphersuite selection criteria for TLS 1.2/1.3 (GnuTLS), TLS 1.2 (OpenSSL) | |
Combined ciphersuite list for certificate and PSK | TLSCipherAll13 | Valid OpenSSL 1.1.1 cipher strings for TLS 1.3 protocol (their values are passed to the OpenSSL function SSL_CTX_set_ciphersuites()). | Ciphersuite selection criteria for TLS 1.3 Only OpenSSL 1.1.1 or newer. |
TLSCipherAll | Valid OpenSSL cipher strings for TLS 1.2 or valid GnuTLS priority strings. Their values are passed to the SSL_CTX_set_cipher_list() or gnutls_priority_init() functions, respectively. | Ciphersuite selection criteria for TLS 1.2/1.3 (GnuTLS), TLS 1.2 (OpenSSL) |
To override the ciphersuite selection in zabbix_get and zabbix_sender utilities - use the command-line parameters:
--tls-cipher13
--tls-cipher
The new parameters are optional. If a parameter is not specified, the internal default value is used. If a parameter is defined it cannot be empty.
If the setting of a TLSCipher* value in the crypto library fails then the server, proxy or agent will not start and an error is logged.
It is important to understand when each parameter is applicable.
The simplest case is outgoing connections:
--tls-cipher13
and --tls-cipher
can be used (encryption is unambiguously specified with a --tls-connect
parameter)It is a bit more complicated with incoming connections because rules are specific for components and configuration.
For Zabbix agent:
Agent connection setup | Cipher configuration |
---|---|
TLSConnect=cert | TLSCipherCert, TLSCipherCert13 |
TLSConnect=psk | TLSCipherPSK, TLSCipherPSK13 |
TLSAccept=cert | TLSCipherCert, TLSCipherCert13 |
TLSAccept=psk | TLSCipherPSK, TLSCipherPSK13 |
TLSAccept=cert,psk | TLSCipherAll, TLSCipherAll13 |
For Zabbix server and ** proxy**:
Connection setup | Cipher configuration |
---|---|
Outgoing connections using PSK | TLSCipherPSK, TLSCipherPSK13 |
Incoming connections using certificates | TLSCipherAll, TLSCipherAll13 |
Incoming connections using PSK if server has no certificate | TLSCipherPSK, TLSCipherPSK13 |
Incoming connections using PSK if server has certificate | TLSCipherAll, TLSCipherAll13 |
Some pattern can be seen in the two tables above:
The following tables show the TLSCipher*
built-in default values. They could be a good starting point for your own custom values.
Parameter | GnuTLS 3.6.12 |
---|---|
TLSCipherCert | NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 |
TLSCipherPSK | NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL |
TLSCipherAll | NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 |
Parameter | OpenSSL 1.1.1d 1 |
---|---|
TLSCipherCert13 | |
TLSCipherCert | EECDH+aRSA+AES128:RSA+aRSA+AES128 |
TLSCipherPSK13 | TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 |
TLSCipherPSK | kECDHEPSK+AES128:kPSK+AES128 |
TLSCipherAll13 | |
TLSCipherAll | EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 |
1 Default values are different for older OpenSSL versions (1.0.1, 1.0.2, 1.1.0), for LibreSSL and if OpenSSL is compiled without PSK support.
** Examples of user-configured ciphersuites **
See below the following examples of user-configured ciphersuites:
To see which ciphersuites have been selected you need to set 'DebugLevel=4' in the configuration file, or use the -vv
option for zabbix_sender.
Some experimenting with TLSCipher*
parameters might be necessary before you get the desired ciphersuites. It is inconvenient to restart Zabbix server, proxy or agent multiple times just to tweak TLSCipher*
parameters. More convenient options are using zabbix_sender or the openssl
command. Let's show both.
1. Using zabbix_sender.
Let's make a test configuration file, for example /home/zabbix/test.conf, with the syntax of a zabbix_agentd.conf file:
Hostname=nonexisting
ServerActive=nonexisting
TLSConnect=cert
TLSCAFile=/home/zabbix/ca.crt
TLSCertFile=/home/zabbix/agent.crt
TLSKeyFile=/home/zabbix/agent.key
TLSPSKIdentity=nonexisting
TLSPSKFile=/home/zabbix/agent.psk
You need valid CA and agent certificates and PSK for this example. Adjust certificate and PSK file paths and names for your environment.
If you are not using certificates, but only PSK, you can make a simpler test file:
Hostname=nonexisting
ServerActive=nonexisting
TLSConnect=psk
TLSPSKIdentity=nonexisting
TLSPSKFile=/home/zabbix/agentd.psk
The selected ciphersuites can be seen by running zabbix_sender (example compiled with OpenSSL 1.1.d):
$ zabbix_sender -vv -c /home/zabbix/test.conf -k nonexisting_item -o 1 2>&1 | grep ciphersuites
zabbix_sender [41271]: DEBUG: zbx_tls_init_child() certificate ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA
zabbix_sender [41271]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
zabbix_sender [41271]: DEBUG: zbx_tls_init_child() certificate and PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
Here you see the ciphersuites selected by default. These default values are chosen to ensure interoperability with Zabbix agents running on systems with older OpenSSL versions (from 1.0.1).
With newer systems you can choose to tighten security by allowing only a few ciphersuites, e.g. only ciphersuites with PFS (Perfect Forward Secrecy). Let's try to allow only ciphersuites with PFS using TLSCipher*
parameters.
The result will not be interoperable with systems using OpenSSL 1.0.1 and 1.0.2, if PSK is used. Certificate-based encryption should work.
Add two lines to the test.conf
configuration file:
and test again:
$ zabbix_sender -vv -c /home/zabbix/test.conf -k nonexisting_item -o 1 2>&1 | grep ciphersuites
zabbix_sender [42892]: DEBUG: zbx_tls_init_child() certificate ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
zabbix_sender [42892]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA
zabbix_sender [42892]: DEBUG: zbx_tls_init_child() certificate and PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
The "certificate ciphersuites" and "PSK ciphersuites" lists have changed - they are shorter than before, only containing TLS 1.3 ciphersuites and TLS 1.2 ECDHE-* ciphersuites as expected.
2. TLSCipherAll and TLSCipherAll13 cannot be tested with zabbix_sender; they do not affect "certificate and PSK ciphersuites" value shown in the example above. To tweak TLSCipherAll and TLSCipherAll13 you need to experiment with the agent, proxy or server.
So, to allow only PFS ciphersuites you may need to add up to three parameters
TLSCipherCert=EECDH+aRSA+AES128
TLSCipherPSK=kECDHEPSK+AES128
TLSCipherAll=EECDH+aRSA+AES128:kECDHEPSK+AES128
to zabbix_agentd.conf, zabbix_proxy.conf and zabbix_server_conf if each of them has a configured certificate and agent has also PSK.
If your Zabbix environment uses only PSK-based encryption and no certificates, then only one:
Now that you understand how it works you can test the ciphersuite selection even outside of Zabbix, with the openssl
command. Let's test all three TLSCipher*
parameter values:
$ openssl ciphers EECDH+aRSA+AES128 | sed 's/:/ /g'
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
$ openssl ciphers kECDHEPSK+AES128 | sed 's/:/ /g'
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA
$ openssl ciphers EECDH+aRSA+AES128:kECDHEPSK+AES128 | sed 's/:/ /g'
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA
You may prefer openssl ciphers
with option -V
for a more verbose output:
$ openssl ciphers -V EECDH+aRSA+AES128:kECDHEPSK+AES128
0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
0xC0,0x13 - ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
0xC0,0x37 - ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256
0xC0,0x35 - ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1
Similarly, you can test the priority strings for GnuTLS:
$ gnutls-cli -l --priority=NONE:+VERS-TLS1.2:+ECDHE-RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
Cipher suites for NONE:+VERS-TLS1.2:+ECDHE-RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27 TLS1.2
Protocols: VERS-TLS1.2
Ciphers: AES-128-GCM, AES-128-CBC
MACs: AEAD, SHA256
Key Exchange Algorithms: ECDHE-RSA
Groups: GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519, GROUP-X448, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096, GROUP-FFDHE6144, GROUP-FFDHE8192
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-RSAE-SHA256, SIGN-ECDSA-SHA256, SIGN-ECDSA-SECP256R1-SHA256, SIGN-EdDSA-Ed25519, SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384, SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-EdDSA-Ed448, SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512, SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512, SIGN-RSA-SHA1, SIGN-ECDSA-SHA1
Zabbix uses AES128 as the built-in default for data. Let's assume you are using certificates and want to switch to AES256, on OpenSSL 1.1.1.
This can be achieved by adding the respective parameters in zabbix_server.conf
:
TLSCAFile=/home/zabbix/ca.crt
TLSCertFile=/home/zabbix/server.crt
TLSKeyFile=/home/zabbix/server.key
TLSCipherCert13=TLS_AES_256_GCM_SHA384
TLSCipherCert=EECDH+aRSA+AES256:-SHA1:-SHA384
TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256
TLSCipherPSK=kECDHEPSK+AES256:-SHA1
TLSCipherAll13=TLS_AES_256_GCM_SHA384
TLSCipherAll=EECDH+aRSA+AES256:-SHA1:-SHA384
Although only certificate-related ciphersuites will be used, TLSCipherPSK*
parameters are defined as well to avoid their default values which include less secure ciphers for wider interoperability. PSK ciphersuites cannot be completely disabled on server/proxy.
And in zabbix_agentd.conf
: