Open
Description
Hi,
I have a zabbix 6.4 proxy running in a docker container with this config:
- TLSACCEPT=psk
- TLSCONNECT=psk
- TLSPSKIDENTITY=PSK001
- TLSPSKFILE=/var/lib/zabbix/enc/psk-file.psk
When testing if I can connect to the proxy using openssl, I use:
openssl s_client -no_tls1_3 -connect 192.168.1.1:10056 -psk_identity 'PSK001' -psk '<my psk>'
Connecting to 192.168.1.1
CONNECTED(00000180)
Can't use SSL_get_servername
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 242 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-PSK-AES128-CBC-SHA256
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-PSK-AES128-CBC-SHA256
Session-ID:
Session-ID-ctx:
Master-Key: <a master key>
PSK identity: PSK001
PSK identity hint: None
SRP username: None
Start Time: 1707658392
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
When when I run the psk_wrapper.py (from a Windows 11 machine) I got the error:
File "C:\Python\Python310\lib\ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007)
python-BaseException
psk and pskidentity are the same as used in the openssl
Python 3.10.11
pyOpenSSL 23.3.0
sslpsk3 1.1.1
zabbix-utils 1.1.0
When running the psk_wrapper from a Raspberry 4 (Linux 6.1.41-v8+ #1667 SMP PREEMPT Wed Jul 26 17:59:29 BST 2023 aarch64 GNU/Linux) I got the Error:
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:1123)
Is there a way I can configure -no_tls1_3 in the wrapper (not sure if this would fix things)?
Any help would be appreciated.
Theo
Metadata
Metadata
Assignees
Labels
No labels