3 PSK problems

PSK contains an odd number of hex-digits

Proxy or agent does not start, message in the proxy or agent log:

  1. invalid PSK in file "/home/zabbix/zabbix_proxy.psk"

PSK identity string longer than 128 bytes is passed to GnuTLS

In TLS client side log:

  1. gnutls_handshake() failed: -110 The TLS connection was non-properly terminated.

In TLS server side log.

  1. gnutls_handshake() failed: -90 The SRP username supplied is illegal.

Too long PSK value used with OpenSSL 1.1.1

In connecting-side log:

  1. ...OpenSSL library (version OpenSSL 1.1.1 11 Sep 2018) initialized
  2. ...
  3. ...In zbx_tls_connect(): psk_identity:"PSK 1"
  4. ...zbx_psk_client_cb() requested PSK identity "PSK 1"
  5. ...End of zbx_tls_connect():FAIL error:'SSL_connect() set result code to SSL_ERROR_SSL: file ssl\statem\extensions_clnt.c line 801: error:14212044:SSL routines:tls_construct_ctos_early_data:internal error: TLS write fatal alert "internal error"'

In accepting-side log:

  1. ...Message from 123.123.123.123 is missing header. Message ignored.

This problem typically arises when upgrading OpenSSL from 1.0.x or 1.1.0 to 1.1.1 and if the PSK value is longer than 512-bit (64-byte PSK, entered as 128 hexadecimal digits).

See also: Value size limits