韓誥傭痔

Table of Contents

17. 宋我扳把抉志忘扶我快

17. 宋我扳把抉志忘扶我快

妍忌戒抉把

韓誥傭痔扭抉忱忱快把忪我志忘快找扮我扳把抉志忘扶我快扼抉快忱我扶快扶我抄技快忪忱批韓誥傭痔扼快把志快把抉技, 韓誥傭痔扭把抉抗扼我, 韓誥傭痔忘忍快扶找抉技, zabbix_sender 我 zabbix_get 批找我抖我找忘技我扼我扼扭抉抖抆戒抉志忘扶我快技 Transport Layer Security (TLS) 扭把抉找抉抗抉抖忘 v.1.2. 宋我扳把抉志忘扶我快扭抉忱忱快把忪我志忘快找扼攸扶忘折我扶忘攸扼韓誥傭痔 3.0. 妤抉忱忱快把忪我志忘攻找扼攸扮我扳把抉志忘扶我攸扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘我扶忘抉扼扶抉志快 pre-shared 抗抖攻折忘.

宋我扳把抉志忘扶我快抉扭扯我抉扶忘抖抆扶抉我扶忘扼找把忘我志忘快找扼攸忱抖攸抉找忱快抖抆扶抑抒抗抉技扭抉扶快扶找抉志 (扶忘扭把我技快把, 扶快抗抉找抉把抑快扭把抉抗扼我我忘忍快扶找抑技抉忪扶抉扶忘扼找把抉我找抆扶忘我扼扭抉抖抆戒抉志忘扶我快扮我扳把抉志忘扶我攸扼扼快把志快把抉技扶忘抉扼扶抉志快扼快把找我扳我抗忘找抉志, 志找抉志把快技攸抗忘抗忱把批忍我快技抉忍批找我扼扭抉抖抆戒抉志忘找抆扮我扳把抉志忘扶我快扶忘抉扼扶抉志快 pre-shared 抗抖攻折忘, 忘抉扼找忘抖抆扶抑快技抉忍批找扭把抉忱抉抖忪忘找抆我扼扭抉抖抆戒抉志忘找抆扶快戒忘扮我扳把抉志忘扶扶抑快扼抉快忱我扶快扶我攸抗忘抗我把忘扶快快).

妊快把志快把 (扭把抉抗扼我) 技抉忪快找我扼扭抉抖抆戒抉志忘找抆把忘戒抖我折扶抑快扶忘扼找把抉抄抗我扼把忘戒扶抑技我批戒抖忘技我扼快找我.

妤把抉忍把忘技技抑韓誥傭痔忱快技抉扶抉志扼抖批扮忘攻找抉忱我扶扭抉把找忱抖攸扮我扳把抉志忘扶扶抑抒我扶快戒忘扮我扳把抉志忘扶扶抑抒志抒抉忱攸投我抒扭抉忱抗抖攻折快扶我抄. 坏抉忌忘志抖快扶我快扮我扳把抉志忘扶我攸扶快扭抉找把快忌批快找抉找抗把抑志忘找抆扶抉志抑快扭抉把找抑扶忘忌把忘扶忱技忘批改把忘抒.

妍忍把忘扶我折快扶我攸

妤把我志忘找扶抑快抗抖攻折我抒把忘扶攸找扼攸志扳抉把技忘找快抉忌抑折扶抉忍抉找快抗扼找忘志扳忘抄抖忘抒, 抗抉找抉把抑快韓誥傭痔抗抉技扭抉扶快扶找抑扼折我找抑志忘攻找志扭把抉扯快扼扼快戒忘扭批扼抗忘.
圾志快忱快扶扶抑快 pre-shared 抗抖攻折我志志快忌-我扶找快把扳快抄扼快韓誥傭痔抒把忘扶攸找扼攸志忌忘戒快忱忘扶扶抑抒韓誥傭痔志志我忱快抉忌抑折扶抉忍抉找快抗扼找忘.
圾扼找把抉快扶扶抉快扮我扳把抉志忘扶我快扶快戒忘投我投忘快找抗抉技技批扶我抗忘扯我我:

   * 技快忪忱批 志快忌-扼快把志快把抉技 扼 志快忌-我扶找快把扳快抄扼抉技 韓誥傭痔 我 志快忌-忌把忘批戒快把抉技 扶忘 扼找把抉扶快 扭抉抖抆戒抉志忘找快抖攸,
          * 技快忪忱批 韓誥傭痔 志快忌-我扶找快把扳快抄扼抉技 我 韓誥傭痔 扼快把志快把抉技,
          * 技快忪忱批 韓誥傭痔 扼快把志快把抉技 (扭把抉抗扼我) 我 忌忘戒抉抄 忱忘扶扶抑抒 韓誥傭痔.
       * 圾 扶忘扼找抉攸投快快 志把快技攸 抗忘忪忱抉快 扶快戒忘扮我扳把抉志忘扶扶抉快 扼抉快忱我扶快扶我快 抉找抗把抑志忘快找扼攸 扼 扭抉抖扶抑技我 TLS 扭快把快忍抉志抉把忘技我, 抗改扮我把抉志忘扶我快 扼快扼扼我抄 我 忌我抖快找抑 扶快 把快忘抖我戒抉志忘扶抑.
       * 坏抉忌忘志抖快扶我快 扮我扳把抉志忘扶我攸 批志快抖我折我志忘快找 志把快技攸 扭把抉志快把抉抗 我 忱快抄扼找志我抄, 志 戒忘志我扼我技抉扼找我 抉找 扼快找快志抑抒 戒忘忱快把忪快抗.\\ 妖忘扭把我技快把, 快扼抖我 扭忘抗快找 抉扭忘戒忱抑志忘快找 扶忘 100技扼, 找抉忍忱忘 抉找抗把抑找我快 TCP 扼抉快忱我扶快扶我快 我 抉找扭把忘志抗忘 扶快戒忘扮我扳把抉志忘扶扶抉忍抉 戒忘扭把抉扼忘 戒忘抄技快找 抉抗抉抖抉 200技扼.\\ 妤把我 扶忘抖我折我我 扮我扳把抉志忘扶我攸 扶忘 批扼找忘扶抉志抗批 TLS 扼抉快忱我扶快扶我攸 忱抉忌忘志我找扼攸 抉抗抉抖抉 1000 技扼.\\ 圾抉戒技抉忪扶抉 扭抉找把快忌批快找扼攸 批志快抖我折我找抆 志把快技攸 抉忪我忱忘扶我攸, 志 扭把抉找我志扶抉技 扼抖批折忘快 扶快抗抉找抉把抑快 改抖快技快扶找抑 忱忘扶扶抑抒 我 忱快抄扼找志我攸, 志抑扭抉抖扶攸攻投我快 批忱忘抖快扶扶抑快 扼抗把我扭找抑 扶忘 忘忍快扶找忘抒 扼技抉忍批找 把忘忌抉找忘找抆 扼 扶快戒忘扮我扳把抉志忘扶扶抑技我 扼抉快忱我扶快扶我攸技我,\\ 扶抉 扶快 扼技抉忍批找 扭把我 扮我扳把抉志忘扶扶抉技 扼抉快忱我扶快扶我我 (忌批忱快找 扭把快志抑扮快扶抉 志把快技攸 抉忪我忱忘扶我攸).

妞抉技扭我抖攸扯我攸韓誥傭痔扼扭抉忱忱快把忪抗抉抄扮我扳把抉志忘扶我攸

坏抖攸扭抉忱忱快把忪抗我扮我扳把抉志忘扶我攸韓誥傭痔忱抉抖忪快扶忌抑找抆扼抗抉技扭我抖我把抉志忘找抆我扼志攸戒忘扶扼扭抉抗把忘抄扶快抄技快把快抉忱扶抉抄抗把我扭找抉忌我忌抖我抉找快抗抉抄:

mbed TLS (把忘扶快快 PolarSSL)(志快把扼我攸 1.3.9 我抖我忌抉抖快快扶抉志抑快 1.3.x). mbed TLS 2.x 志扶忘扼找抉攸投快快志把快技攸扶快扭抉忱忱快把忪我志忘快找扼攸, 改找抉扶快扭把抉扼找忘攸戒忘技快扶忘志快找抗我 1.3, 韓誥傭痔扶快扼抗抉技扭我抖我把批快找扼攸扼 mbed TLS 2.x.
GnuTLS (扼志快把扼我我 3.1.18)
OpenSSL (扼志快把扼我我 1.0.1)

坎我忌抖我抉找快抗忘志抑忌我把忘快找扼攸扭把我扭抉技抉投我抉扭扯我我志扼抗把我扭找快 "configure":

--with-mbedtls[=DIR]
--with-gnutls[=DIR]
--with-openssl[=DIR]

妖忘扭把我技快把, 折找抉忌抑扼抗抉扶扳我忍批把我把抉志忘找抆我扼抒抉忱扶抑快抗抉忱抑扼快把志快把忘我忘忍快扶找忘扼 OpenSSL, 志抑技抉忪快找快我扼扭抉抖抆戒抉志忘找抆折找抉-找抉志把抉忱快:
./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-openssl

妙抉忪扶抉扼抗抉技扭我抖我把抉志忘找抆把忘戒扶抑快抗抉技扭抉扶快扶找抑韓誥傭痔扼把忘戒抖我折扶抑技我抗把我扭找抉忌我忌抖我抉找快抗忘技我 (扶忘扭把我技快把, 扼快把志快把扼 OpenSSL, 忘忍快扶找扼 GnuTLS).

圻扼抖我志抑扭抖忘扶我把批快找快我扼扭抉抖抆戒抉志忘找抆 pre-shared 抗抖攻折我 (PSK) 把忘扼扼技抉找把我找快志抉戒技抉忪扶抉扼找抆我扼扭抉抖抆戒抉志忘扶我攸忌我忌抖我抉找快抗 GnuTLS 我抖我 mbed TLS 扼抗抉技扭抉扶快扶找忘技我韓誥傭痔, 我扼扭抉抖抆戒批攻投我抒 PSK. 坎我忌抖我抉找快抗我 GnuTLS 我 mbed TLS 扭抉忱忱快把忪我志忘攻找扶忘忌抉把抑扮我扳把抉志 PSK 扼 (Perfect forward secrecy). OpenSSL 忌我忌抖我抉找快抗忘 (志快把扼我我 1.0.1, 1.0.2c) 扭抉忱忱快把忪我志忘快找 PSK, 扶抉忱抉扼找批扭扶抑快扶忘忌抉把抑扮我扳把抉志 PSK 扶快抉忌快扼扭快折我志忘攻找妊抉志快把扮快扶扶批攻扭把攸技批攻扼快抗把快找扶抉扼找抆.

孝扭把忘志抖快扶我快戒忘扮我把抉志忘扶扶抑技我扼抉快忱我扶快扶我攸技我

妊抉快忱我扶快扶我攸志韓誥傭痔技抉忍批找我扼扭抉抖抆戒抉志忘找抆:

妒技快快找扼攸忱志忘志忘忪扶抑抒扭忘把忘技快找把忘, 抗抉找抉把抑快我扼扭抉抖抆戒批攻找扼攸, 折找抉忌抑批抗忘戒忘找抆扮我扳把抉志忘扶我快技快忪忱批抗抉技扭抉扶快扶找忘技我韓誥傭痔:

TLSConnect
TLSAccept

TLSConnect 戒忘忱忘快找抗忘抗抉快我扼扭抉抖抆戒抉志忘找抆扮我扳把抉志忘扶我快我技抉忪快找扭把我扶我技忘找抆抉忱扶抉我戒 3 戒扶忘折快扶我抄 (unencrypted, PSK, certificate). TLSConnect 我扼扭抉抖抆戒批快找扼攸志扳忘抄抖忘抒抗抉扶扳我忍批把忘扯我我韓誥傭痔扭把抉抗扼我 (志忘抗找我志扶抉技把快忪我技快戒忘忱忘快找找抉抖抆抗抉扭抉忱抗抖攻折快扶我攸抗扼快把志快把批) 我韓誥傭痔 agentd (扭把我忘抗找我志扶抑抒扭把抉志快把抗忘抒). 圾志快忌-我扶找快把扳快抄扼快韓誥傭痔扭忘把忘技快找把 TLSConnect 攸志抖攸快找扼攸改抗志我志忘抖快扶找抉技扭抉抖攸 妤抉忱抗抖攻折快扶我攸抗批戒抖批扼快找我 扼志抗抖忘忱抗我 妖忘扼找把抉抄抗忘↙孝戒抖抑扼快找我↙<抗忘抗抉抄-找抉批戒快抖扼快找我>↙宋我扳把抉志忘扶我快 我扭抉抖攸 妤抉忱抗抖攻折快扶我攸抗扭把抉抗扼我 扼志抗抖忘忱抗我 均忱技我扶我扼找把我把抉志忘扶我快↙妤把抉抗扼我↙<抗忘抗抉抄-找抉扭把抉抗扼我>↙宋我扳把抉志忘扶我快. 圻扼抖我扶忘扼找把抉快扶扶抑抄找我扭扮我扳把抉志忘扶我攸忱抖攸扼抉快忱我扶快扶我攸戒忘志快把扮我找扼攸扶快批忱忘折快抄, 忱把批忍我快找我扭抑扮我扳把抉志忘扶我攸扶快忌批忱批找抉扭把抉忌抉志忘扶抑.

TLSAccept 戒忘忱忘快找抗忘抗抉抄找我扭扼抉快忱我扶快扶我抄把忘戒把快扮快扶扭把我志抒抉忱攸投我抒扭抉忱抗抖攻折快扶我攸抒. 妥我扭扭抉忱抗抖攻折快扶我抄: unencrypted, PSK, certificate. 妙抉忪扶抉批抗忘戒忘找抆抉忱扶抉我抖我忌抉抖快快戒扶忘折快扶我抄. TLSAccept 我扼扭抉抖抆戒批快找扼攸志扳忘抄抖忘抒抗抉扶扳我忍批把忘扯我我韓誥傭痔扭把抉抗扼我 (志扭忘扼扼我志扶抉技把快忪我技快戒忘忱忘快找找抉抖抆抗抉扼抉快忱我扶快扶我攸扼扼快把志快把忘) 我韓誥傭痔 agentd (扭把我扭忘扼扼我志扶抑抒扭把抉志快把抗忘抒). 圾志快忌-我扶找快把扳快抄扼快韓誥傭痔扭忘把忘技快找把 TLSAccept 攸志抖攸快找扼攸改抗志我志忘抖快扶找抉技扭抉抖攸 妊抉快忱我扶快扶我攸扼批戒抖忘扼快找我 扼志抗抖忘忱抗我 妖忘扼找把抉抄抗忘↙孝戒抖抑扼快找我↙<抗忘抗抉抄-找抉批戒快抖扼快找我>↙宋我扳把抉志忘扶我快 我扭抉抖攸 "妊抉快忱我扶快扶我攸扼扭把抉抗扼我" 扼志抗抖忘忱抗我 均忱技我扶我扼找把我把抉志忘扶我快↙妤把抉抗扼我↙<抗忘抗抉抄-找抉扭把抉抗扼我>↙宋我扳把抉志忘扶我快.

妞忘抗扭把忘志我抖抉, 志抑扶忘扼找把忘我志忘快找快找抉抖抆抗抉抉忱我扶找我扭扮我扳把抉志忘扶我攸忱抖攸志抒抉忱攸投我抒扭抉忱抗抖攻折快扶我抄. 妖抉志抑技抉忪快找快戒忘抒抉找我找快扭快把快抗抖攻折我找抆把快忪我技扮我扳把抉志忘扶我攸, 扶忘扭把我技快把扼扶快戒忘扮我把抉志忘扶扶抉忍抉扶忘抉扼扶抉志忘扶扶抑抄扶忘扼快把找我扳我抗忘找忘抒扼技我扶我技忘抖抆扶抑技志把快技快扶快技扭把抉扼找抉攸我扼志抉戒技抉忪扶抉扼找抆攻抉找抗忘找忘. 坏抖攸改找抉忍抉志抑技抉忪快找快戒忘忱忘找抆 TLSAccept=unencrypted,cert 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我 agentd 我扭快把快戒忘扭批扼找我找抆忘忍快扶找忘韓誥傭痔.
妝忘找快技志抑技抉忪快找快扭把抉找快扼找我把抉志忘找抆扭抉忱抗抖攻折快扶我快抉找 zabbix_get 抗忘忍快扶找批, 我扼扭抉抖抆戒批攸扼快把找我扳我抗忘找. 圻扼抖我扭抉忱抗抖攻折快扶我快把忘忌抉找忘快找, 志抑技抉忪快找快扭快把快扶忘扼找把抉我找抆扮我扳把抉志忘扶我快批改找抉忍抉忘忍快扶找忘志韓誥傭痔志快忌-我扶找快把扳快抄扼快扶忘志抗抖忘忱抗快 妖忘扼找把抉抄抗忘↙孝戒抖抑扼快找我↙<抗忘抗抉抄-找抉批戒快抖扼快找我>↙宋我扳把抉志忘扶我快, 扭快把快抗抖攻折我志扶忘扼找把抉抄抗批 妤抉忱抗抖攻折快扶我攸抗批戒抖批扼快找我 扶忘 "妊快把找我扳我抗忘找".
妞抉忍忱忘抗改扮抗抉扶扳我忍批把忘扯我我扼快把志快把忘抉忌扶抉志我找扼攸 (我抗抉扶扳我忍批把忘扯我攸扭把抉抗扼我抉忌扶抉志我找扼攸, 快扼抖我批戒快抖扼快找我扶忘忌抖攻忱忘快找扼攸折快把快戒扭把抉抗扼我), 找抉忍忱忘扭抉忱抗抖攻折快扶我攸抗改找抉技批忘忍快扶找批忌批忱批找戒忘扮我扳把抉志忘扶抑.
圻扼抖我志扼忸把忘忌抉找忘快找抗忘抗抉忪我忱忘快找扼攸, 志抑技抉忪快找快戒忘忱忘找抆 TLSAccept=cert 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我忘忍快扶找忘我扭快把快戒忘扭批扼找我找抆韓誥傭痔忘忍快扶找忘.
妥快扭快把抆忘忍快扶找忌批忱快找扭把我扶我技忘找抆找抉抖抆抗抉戒忘扮我扳把抉志忘扶扶抑快扭抉忱抗抖攻折快扶我攸扶忘抉扼扶抉志快扼快把找我扳我抗忘找抉志. 妖快戒忘扮我扳把抉志忘扶扶抑快我抉扼扶抉志忘扶扶抑快扶忘 PSK 扭抉忱抗抖攻折快扶我攸忌批忱批找抉找抗抖抉扶快扶抑.

宋我扳把抉志忘扶我快扶忘扼快把志快把快我扭把抉抗扼我把忘忌抉找忘快找忘扶忘抖抉忍我折扶抑技抉忌把忘戒抉技. 圻扼抖我志志快忌-我扶找快把扳快抄扼快韓誥傭痔志扶忘扼找把抉抄抗快批戒抖忘扼快找我 妊抉快忱我扶快扶我攸扼批戒抖忘扼快找我 戒忘忱忘扶抉把忘志扶抑技 "妊快把找我扳我抗忘找", 找抉忍忱忘抉找忘忍快扶找忘 (忘抗找我志扶抑快扭把抉志快把抗我) 我 zabbix_sender (找把忘扭扭快把改抖快技快扶找抑忱忘扶扶抑抒) 忌批忱批找扭把我扶我技忘找抆扼攸找抉抖抆抗抉戒忘扮我扳把抉志忘扶扶抑快扼抉快忱我扶快扶我攸扶忘抉扼扶抉志快扼快把找我扳我抗忘找抉志.

妊抗抉把快快志扼快忍抉志抑扶忘扼找把抉我找快志抒抉忱攸投我快我我扼抒抉忱攸投我快扼抉快忱我扶快扶我攸扶忘我扼扭抉抖抆戒抉志忘扶我快抉忱扶抉忍抉找我扭忘扮我扳把抉志忘扶我攸我抖我忌快戒扮我扳把抉志忘扶我攸志抉志扼快. 妖抉, 找快抒扶我折快扼抗我, 我技快快找扼攸志抉戒技抉忪扶抉扼找抆扶忘扼找把抉我找抆扮我扳把抉志忘扶我快忘扼我技技快找把我折扶抉, 扶忘扭把我技快把, 扮我扳把抉志忘扶我快扶忘抉扼扶抉志快扼快把找我扳我抗忘找抉志忱抖攸志抒抉忱攸投我抒扭抉忱抗抖攻折快扶我抄我扶忘抉扼扶抉志快 PSK 忱抖攸我扼抒抉忱攸投我抒扭抉忱抗抖攻折快扶我抄.

妍忌戒抉把扶抑快扶忘扼找把抉抄抗我扮我扳把抉志忘扶我攸抉找抉忌把忘忪忘攻找扼攸志志快忌-我扶找快把扳快抄扼快韓誥傭痔 妖忘扼找把抉抄抗忘↙孝戒抖抑扼快找我 扭抉抗忘忪忱抉技批批戒抖批扼快找我扭抉扭把忘志抉抄扼找抉把抉扶快, 志抗抉抖抉扶抗快 宋妒孜妓妍圾均妖妒圻均坐圻妖妥均. 妤把我技快把抑抉找抉忌把忘忪快扶我攸扶忘扼找把抉快抗:

妤抉忱抗抖攻折快扶我攸妞批戒抖批扼快找我	妓忘戒把快扮快扶扶抑快扭抉忱抗抖攻折快扶我攸妍妥批戒抖忘扼快找我	妍找抗抖抉扶快扶扶抑快扭抉忱抗抖攻折快扶我攸妊批戒抖忘扼快找我
妖快戒忘扮我扳把抉志忘扶抉	妖快戒忘扮我扳把抉志忘扶抉	妝忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘我 PSK
妝忘扮我扳把抉志忘扶抉, 扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘	妝忘扮我扳把抉志忘扶抉, 扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘	妖快戒忘扮我扳把抉志忘扶抉我扶忘抉扼扶抉志快 PSK
妝忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快 PSK	妝忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快 PSK	妖快戒忘扮我扳把抉志忘扶抉我扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘
妝忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快 PSK	妖快戒忘扮我扳把抉志忘扶抉我戒忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快 PSK	妖忘抉扼扶抉志快扼快把找我扳我抗忘找忘
妝忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘	妖快戒忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快 PSK 我抖我戒忘扮我扳把抉志忘扶抉扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘	-

妤抉批技抉抖折忘扶我攻我扼扭抉抖抆戒批攻找扼攸扶快戒忘扮我扳把抉志忘扶扶抑快扭抉忱抗抖攻折快扶我攸. 宋我扳把抉志忘扶我快扶快抉忌抒抉忱我技抉扶忘扼找把忘我志忘找抆扭抉抗忘忪忱抉技批批戒抖批扼快找我我扭把抉抗扼我抉找忱快抖抆扶抉.

zabbix_get 我 zabbix_sender 扼扮我扳把抉志忘扶我快技

妊技抉找把我找快扼找把忘扶我扯抑扭抉技抉投我 zabbix_get 我 zabbix_sender 扭抉我扼扭抉抖抆戒抉志忘扶我攻改找我抒批找我抖我找扭把我扶忘抖我折我我扮我扳把抉志忘扶我攸.

均抖忍抉把我找技抑扮我扳把抉志忘扶我攸

均抖忍抉把我找技抑抗抉扶扳我忍批把我把批攻找扼攸志扶批找把我志扭把抉扯快扼扼快戒忘扭批扼抗忘韓誥傭痔我戒忘志我扼攸找抉找抗把我扭找抉忌我忌抖我抉找快抗我, 志扶忘扼找抉攸投快快志把快技攸忘抖忍抉把我找技抑扶快抖抆戒攸扶忘扼找把忘我志忘找抆扭抉抖抆戒抉志忘找快抖攸技我.

妖忘扼找把抉快扶扶抑快忘抖忍抉把我找技抑扮我扳把抉志忘扶我攸扭抉找我扭批忌我忌抖我找快抗我扼忌抉抖快快志抑扼抉抗抉忍抉批把抉志扶攸抗扶我戒抗抉技批批把抉志扶攻:

坎我忌抖我抉找快抗忘	均抖忍抉把我找技抑扮我扳把抉志忘扶我攸扼快把找我扳我抗忘找抉志	均抖忍抉把我找技抑扮我扳把抉志忘扶我攸 PSK
mbed TLS (PolarSSL) 1.3.9	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA	TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA TLS-PSK-WITH-AES-128-GCM-SHA256 TLS-PSK-WITH-AES-128-CBC-SHA256 TLS-PSK-WITH-AES-128-CBC-SHA
GnuTLS 3.1.18	TLS_ECDHE_RSA_AES_128_GCM_SHA256 TLS_ECDHE_RSA_AES_128_CBC_SHA256 TLS_ECDHE_RSA_AES_128_CBC_SHA1 TLS_RSA_AES_128_GCM_SHA256 TLS_RSA_AES_128_CBC_SHA256 TLS_RSA_AES_128_CBC_SHA1	TLS_ECDHE_PSK_AES_128_CBC_SHA256 TLS_ECDHE_PSK_AES_128_CBC_SHA1 TLS_PSK_AES_128_GCM_SHA256 TLS_PSK_AES_128_CBC_SHA256 TLS_PSK_AES_128_CBC_SHA1
OpenSSL 1.0.2c	ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA	PSK-AES128-CBC-SHA
OpenSSL 1.1.0	ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA	ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA

均抖忍抉把我找技抑扮我扳把抉志忘扶我攸扭把我我扼扭抉抖抆戒抉志忘扶我我扼快把找我扳我抗忘找抉志:

	TLS 扼快把志快把
TLS 抗抖我快扶找	mbed TLS (PolarSSL)	GnuTLS	OpenSSL 1.0.2
mbed TLS (PolarSSL)	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
GnuTLS	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
OpenSSL 1.0.2	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

均抖忍抉把我找技抑扮我扳把抉志忘扶我攸扭把我我扼扭抉抖抆戒抉志忘扶我我 PSK:

	TLS 扼快把志快把
TLS 抗抖我快扶找	mbed TLS (PolarSSL)	GnuTLS	OpenSSL 1.0.2
mbed TLS (PolarSSL)	TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256	TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256	TLS-PSK-WITH-AES-128-CBC-SHA
GnuTLS	TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256	TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256	TLS-PSK-WITH-AES-128-CBC-SHA
OpenSSL 1.0.2	TLS-PSK-WITH-AES-128-CBC-SHA	TLS-PSK-WITH-AES-128-CBC-SHA	TLS-PSK-WITH-AES-128-CBC-SHA

User-configured ciphersuites

The built-in ciphersuite selection criteria can be overridden with user-configured ciphersuites.

User-configured ciphersuites is a feature intended for advanced users who understand TLS ciphersuites, their security and consequences of mistakes, and who are comfortable with TLS troubleshooting.

The built-in ciphersuite selection criteria can be overridden using the following parameters:

Override scope	Parameter	Value	Description
Ciphersuite selection for certificates	TLSCipherCert13	Valid OpenSSL 1.1.1 for TLS 1.3 protocol (their values are passed to the OpenSSL function SSL_CTX_set_ciphersuites()).	Certificate-based ciphersuite selection criteria for TLS 1.3 Only OpenSSL 1.1.1 or newer.
Ciphersuite selection for certificates	TLSCipherCert	Valid OpenSSL for TLS 1.2 or valid GnuTLS . Their values are passed to the SSL_CTX_set_cipher_list() or gnutls_priority_init() functions, respectively.	Certificate-based ciphersuite selection criteria for TLS 1.2/1.3 (GnuTLS), TLS 1.2 (OpenSSL)
Ciphersuite selection for PSK	TLSCipherPSK13	Valid OpenSSL 1.1.1 for TLS 1.3 protocol (their values are passed to the OpenSSL function SSL_CTX_set_ciphersuites()).	PSK-based ciphersuite selection criteria for TLS 1.3 Only OpenSSL 1.1.1 or newer.
Ciphersuite selection for PSK	TLSCipherPSK	Valid OpenSSL for TLS 1.2 or valid GnuTLS . Their values are passed to the SSL_CTX_set_cipher_list() or gnutls_priority_init() functions, respectively.	PSK-based ciphersuite selection criteria for TLS 1.2/1.3 (GnuTLS), TLS 1.2 (OpenSSL)
Combined ciphersuite list for certificate and PSK	TLSCipherAll13	Valid OpenSSL 1.1.1 for TLS 1.3 protocol (their values are passed to the OpenSSL function SSL_CTX_set_ciphersuites()).	Ciphersuite selection criteria for TLS 1.3 Only OpenSSL 1.1.1 or newer.
Combined ciphersuite list for certificate and PSK	TLSCipherAll	Valid OpenSSL for TLS 1.2 or valid GnuTLS . Their values are passed to the SSL_CTX_set_cipher_list() or gnutls_priority_init() functions, respectively.	Ciphersuite selection criteria for TLS 1.2/1.3 (GnuTLS), TLS 1.2 (OpenSSL)

To override the ciphersuite selection in zabbix_get and zabbix_sender utilities - use the command-line parameters:

--tls-cipher13
--tls-cipher

The new parameters are optional. If a parameter is not specified, the internal default value is used. If a parameter is defined it cannot be empty.

If the setting of a TLSCipher* value in the crypto library fails then the server, proxy or agent will not start and an error is logged.

It is important to understand when each parameter is applicable.

Outgoing connections

The simplest case is outgoing connections:

For outgoing connections with certificate - use TLSCipherCert13 or TLSCipherCert
For outgoing connections with PSK - use TLSCipherPSK13 and TLSCipherPSK
In case of zabbix_get and zabbix_sender utilities the command-line parameters --tls-cipher13 and --tls-cipher can be used (encryption is unambiguously specified with a --tls-connect parameter)

Incoming connections

It is a bit more complicated with incoming connections because rules are specific for components and configuration.

For 韓誥傭痔 agent:

Agent connection setup	Cipher configuration
TLSConnect=cert	TLSCipherCert, TLSCipherCert13
TLSConnect=psk	TLSCipherPSK, TLSCipherPSK13
TLSAccept=cert	TLSCipherCert, TLSCipherCert13
TLSAccept=psk	TLSCipherPSK, TLSCipherPSK13
TLSAccept=cert,psk	TLSCipherAll, TLSCipherAll13

For 韓誥傭痔 server and ** proxy**:

Connection setup	Cipher configuration
Outgoing connections using PSK	TLSCipherPSK, TLSCipherPSK13
Incoming connections using certificates	TLSCipherAll, TLSCipherAll13
Incoming connections using PSK if server has no certificate	TLSCipherPSK, TLSCipherPSK13
Incoming connections using PSK if server has certificate	TLSCipherAll, TLSCipherAll13

Some pattern can be seen in the two tables above:

TLSCipherAll and TLSCipherAll13 can be specified only if a combined list of certificate- and PSK-based ciphersuites is used. There are two cases when it takes place: server (proxy) with a configured certificate (PSK ciphersuites are always configured on server, proxy if crypto library supports PSK), agent configured to accept both certificate- and PSK-based incoming connections
in other cases TLSCipherCert* and/or TLSCipherPSK* are sufficient

The following tables show the TLSCipher* built-in default values. They could be a good starting point for your own custom values.

Parameter	GnuTLS 3.6.12
TLSCipherCert	NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
TLSCipherPSK	NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
TLSCipherAll	NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509

Parameter	OpenSSL 1.1.1d ¹
TLSCipherCert13
TLSCipherCert	EECDH+aRSA+AES128:RSA+aRSA+AES128
TLSCipherPSK13	TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
TLSCipherPSK	kECDHEPSK+AES128:kPSK+AES128
TLSCipherAll13
TLSCipherAll	EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128

¹ Default values are different for older OpenSSL versions (1.0.1, 1.0.2, 1.1.0), for LibreSSL and if OpenSSL is compiled without PSK support.

** Examples of user-configured ciphersuites **

See below the following examples of user-configured ciphersuites:

Testing cipher strings and allowing only PFS ciphersuites
Switching from AES128 to AES256

Testing cipher strings and allowing only PFS ciphersuites

To see which ciphersuites have been selected you need to set 'DebugLevel=4' in the configuration file, or use the -vv option for zabbix_sender.

Some experimenting with TLSCipher* parameters might be necessary before you get the desired ciphersuites. It is inconvenient to restart 韓誥傭痔 server, proxy or agent multiple times just to tweak TLSCipher* parameters. More convenient options are using zabbix_sender or the openssl command. Let's show both.

1. Using zabbix_sender.

Let's make a test configuration file, for example /home/zabbix/test.conf, with the syntax of a zabbix_agentd.conf file:

  Hostname=nonexisting
         ServerActive=nonexisting
         
         TLSConnect=cert
         TLSCAFile=/home/zabbix/ca.crt
         TLSCertFile=/home/zabbix/agent.crt
         TLSKeyFile=/home/zabbix/agent.key
         TLSPSKIdentity=nonexisting
         TLSPSKFile=/home/zabbix/agent.psk

You need valid CA and agent certificates and PSK for this example. Adjust certificate and PSK file paths and names for your environment.

If you are not using certificates, but only PSK, you can make a simpler test file:

  Hostname=nonexisting
         ServerActive=nonexisting
         
         TLSConnect=psk
         TLSPSKIdentity=nonexisting
         TLSPSKFile=/home/zabbix/agentd.psk

The selected ciphersuites can be seen by running zabbix_sender (example compiled with OpenSSL 1.1.d):

  $ zabbix_sender -vv -c /home/zabbix/test.conf -k nonexisting_item -o 1 2>&1 | grep ciphersuites
         zabbix_sender [41271]: DEBUG: zbx_tls_init_child() certificate ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA
         zabbix_sender [41271]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
         zabbix_sender [41271]: DEBUG: zbx_tls_init_child() certificate and PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA

Here you see the ciphersuites selected by default. These default values are chosen to ensure interoperability with 韓誥傭痔 agents running on systems with older OpenSSL versions (from 1.0.1).

With newer systems you can choose to tighten security by allowing only a few ciphersuites, e.g. only ciphersuites with PFS (Perfect Forward Secrecy). Let's try to allow only ciphersuites with PFS using TLSCipher* parameters.

The result will not be interoperable with systems using OpenSSL 1.0.1 and 1.0.2, if PSK is used. Certificate-based encryption should work.

Add two lines to the test.conf configuration file:

  TLSCipherCert=EECDH+aRSA+AES128
         TLSCipherPSK=kECDHEPSK+AES128

and test again:

  $ zabbix_sender -vv -c /home/zabbix/test.conf -k nonexisting_item -o 1 2>&1 | grep ciphersuites            
         zabbix_sender [42892]: DEBUG: zbx_tls_init_child() certificate ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA        
         zabbix_sender [42892]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA        
         zabbix_sender [42892]: DEBUG: zbx_tls_init_child() certificate and PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA

The "certificate ciphersuites" and "PSK ciphersuites" lists have changed - they are shorter than before, only containing TLS 1.3 ciphersuites and TLS 1.2 ECDHE-* ciphersuites as expected.

2. TLSCipherAll and TLSCipherAll13 cannot be tested with zabbix_sender; they do not affect "certificate and PSK ciphersuites" value shown in the example above. To tweak TLSCipherAll and TLSCipherAll13 you need to experiment with the agent, proxy or server.

So, to allow only PFS ciphersuites you may need to add up to three parameters

  TLSCipherCert=EECDH+aRSA+AES128
         TLSCipherPSK=kECDHEPSK+AES128
         TLSCipherAll=EECDH+aRSA+AES128:kECDHEPSK+AES128

to zabbix_agentd.conf, zabbix_proxy.conf and zabbix_server_conf if each of them has a configured certificate and agent has also PSK.

If your 韓誥傭痔 environment uses only PSK-based encryption and no certificates, then only one:

  TLSCipherPSK=kECDHEPSK+AES128

Now that you understand how it works you can test the ciphersuite selection even outside of 韓誥傭痔, with the openssl command. Let's test all three TLSCipher* parameter values:

  $ openssl ciphers EECDH+aRSA+AES128 | sed 's/:/ /g'
         TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
         $ openssl ciphers kECDHEPSK+AES128 | sed 's/:/ /g'
         TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA
         $ openssl ciphers EECDH+aRSA+AES128:kECDHEPSK+AES128 | sed 's/:/ /g'
         TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA

You may prefer openssl ciphers with option -V for a more verbose output:

  $ openssl ciphers -V EECDH+aRSA+AES128:kECDHEPSK+AES128
                   0x13,0x02 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
                   0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
                   0x13,0x01 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
                   0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
                   0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
                   0xC0,0x13 - ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
                   0xC0,0x37 - ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
                   0xC0,0x35 - ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1

Similarly, you can test the priority strings for GnuTLS:

  $ gnutls-cli -l --priority=NONE:+VERS-TLS1.2:+ECDHE-RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
         Cipher suites for NONE:+VERS-TLS1.2:+ECDHE-RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
         TLS_ECDHE_RSA_AES_128_GCM_SHA256                        0xc0, 0x2f      TLS1.2
         TLS_ECDHE_RSA_AES_128_CBC_SHA256                        0xc0, 0x27      TLS1.2
         
         Protocols: VERS-TLS1.2
         Ciphers: AES-128-GCM, AES-128-CBC
         MACs: AEAD, SHA256
         Key Exchange Algorithms: ECDHE-RSA
         Groups: GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519, GROUP-X448, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096, GROUP-FFDHE6144, GROUP-FFDHE8192
         PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-RSAE-SHA256, SIGN-ECDSA-SHA256, SIGN-ECDSA-SECP256R1-SHA256, SIGN-EdDSA-Ed25519, SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384, SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-EdDSA-Ed448, SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512, SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512, SIGN-RSA-SHA1, SIGN-ECDSA-SHA1

Switching from AES128 to AES256

韓誥傭痔 uses AES128 as the built-in default for data. Let's assume you are using certificates and want to switch to AES256, on OpenSSL 1.1.1.

This can be achieved by adding the respective parameters in zabbix_server.conf:

  TLSCAFile=/home/zabbix/ca.crt
         TLSCertFile=/home/zabbix/server.crt
         TLSKeyFile=/home/zabbix/server.key
         TLSCipherCert13=TLS_AES_256_GCM_SHA384
         TLSCipherCert=EECDH+aRSA+AES256:-SHA1:-SHA384
         TLSCipherPSK13=TLS_CHACHA20_POLY1305_SHA256
         TLSCipherPSK=kECDHEPSK+AES256:-SHA1
         TLSCipherAll13=TLS_AES_256_GCM_SHA384
         TLSCipherAll=EECDH+aRSA+AES256:-SHA1:-SHA384

Although only certificate-related ciphersuites will be used, TLSCipherPSK* parameters are defined as well to avoid their default values which include less secure ciphers for wider interoperability. PSK ciphersuites cannot be completely disabled on server/proxy.

And in zabbix_agentd.conf:

  TLSConnect=cert
         TLSAccept=cert
         TLSCAFile=/home/zabbix/ca.crt
         TLSCertFile=/home/zabbix/agent.crt
         TLSKeyFile=/home/zabbix/agent.key
         TLSCipherCert13=TLS_AES_256_GCM_SHA384
         TLSCipherCert=EECDH+aRSA+AES256:-SHA1:-SHA384