Behind the scenes, Zabbix encryption can use one of three different libraries: OpenSSL, GnuTLS, or mbed TLS. Which one to choose? If using packages, the easiest and safest is to start with whichever the packages are compiled with. If compiling from source, choose the one that's easiest to compile with. In both cases, that's likely to be the library that's endorsed by the packagers and maintained well. The Zabbix team has made a significant effort to implement support for all three libraries in as similar a way as possible from the user's perspective. There could be differences regarding support for some specific features, but those are likely to be more obscure ones: if such problems do come up later, switching from one library to another should be as easy as recompiling the daemons. While in most case, it would likely not matter much which library you're using, it's a good idea to know that; one good reason for supporting these three different libraries is also the ability to switch to a different library if the currently used one has a security vulnerability.

In this chapter, we'll try out encryption with the Zabbix server and zabbix_sender first and then move on to encrypting agent traffic using both PSK and certificate-based encryption. If you have installed from packages, your server most likely already supports encryption. Verify that by looking at the server and agent startup messages:

3237:20181226:100436.209 TLS support: YES

If you compiled from source and TLS support isn't present, recompile the server and agent by adding one of these parameters: --with-openssl, --with-gnutls, or --with-mbedtls.