diff options
| author | Andris Mednis <Andris.Mednis@zabbix.com> | 2015-05-12 15:44:51 +0300 |
|---|---|---|
| committer | Andris Mednis <Andris.Mednis@zabbix.com> | 2015-05-12 15:44:51 +0300 |
| commit | 9e7290c210a15c0b65e0b9cc58e22c2abea5308b (patch) | |
| tree | 2c82e17bcd8e4e792be69a929e7c594a926f762e /src/zabbix_agent/listener.c | |
| parent | 9df07cd6e4316c1dc5915b0afa3327e6284fbc29 (diff) | |
...G...PS. [ZBXNEXT-1263] added an option of checking server certificate issuer and subject
in Zabbix proxy and agentd
- Two new configuration parameters - 'TLSServerCertIssuer' and 'TLSServerCertSubject'
- are added to Zabbix proxy and agentdJ configuration files.
- passive proxy can check server certificate issuer and subject when an incoming request
from server is received.
- active proxy can check server certificate issuer and subject when making outgoing
connections to the server.
- agentd can check server certificate issuer and subject when an incoming request from
server, proxy or zabbix_get is received.
- agentd can check server certificate issuer and subject when making outgoing connections
to the server (or proxy) for getting a list of active checks or sending data.
- small code formatting change.
Diffstat (limited to 'src/zabbix_agent/listener.c')
| -rw-r--r-- | src/zabbix_agent/listener.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/src/zabbix_agent/listener.c b/src/zabbix_agent/listener.c index efa801fff70..4c7ab50d8c6 100644 --- a/src/zabbix_agent/listener.c +++ b/src/zabbix_agent/listener.c @@ -38,6 +38,7 @@ extern int server_num, process_num; #endif #include "../libs/zbxcrypto/tls.h" +#include "../libs/zbxcrypto/tls_tcp_active.h" static void process_listener(zbx_socket_t *s) { @@ -94,6 +95,9 @@ static void process_listener(zbx_socket_t *s) ZBX_THREAD_ENTRY(listener_thread, args) { +#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL) + char *msg = NULL; +#endif int ret, local_request_failed = 0; zbx_socket_t s; @@ -125,7 +129,15 @@ ZBX_THREAD_ENTRY(listener_thread, args) zbx_setproctitle("listener #%d [processing request]", process_num); if (SUCCEED == (ret = zbx_tcp_check_security(&s, CONFIG_HOSTS_ALLOWED, 0))) - process_listener(&s); + { +#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL) + if (ZBX_TCP_SEC_TLS_CERT != s.connection_type || + SUCCEED == (ret = zbx_check_server_issuer_subject(&s, &msg))) +#endif + { + process_listener(&s); + } + } zbx_tcp_unaccept(&s); } @@ -133,7 +145,18 @@ ZBX_THREAD_ENTRY(listener_thread, args) if (SUCCEED == ret || EINTR == zbx_socket_last_error()) continue; - zabbix_log(LOG_LEVEL_WARNING, "failed to accept an incoming connection: %s", zbx_socket_strerror()); +#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL) + if (NULL != msg) + { + zabbix_log(LOG_LEVEL_DEBUG, "failed to accept an incoming connection: %s", msg); + zbx_free(msg); + } + else +#endif + { + zabbix_log(LOG_LEVEL_DEBUG, "failed to accept an incoming connection: %s", + zbx_socket_strerror()); + } if (local_request_failed++ > 1000) { |