A quibble on the definition of the classification as being a Security/DoS issue.
If an attacker can break TCP connections at will between two systems, the attacker has the ability to DoS those systems. Period, no further qualifiers needed.
Now, this does look like it may be an issue that needs to be fixed, but just as a bug/reliability thing, not as a security thing.
per the redhat bug that looks similar: https://bugzilla.redhat.com/show_bug.cgi?id=1279514 the problem happens if the connection is broken at just the wrong time in the flow.
Rsyslog uses gnuTLS for the encryption of these connections. gnuTLS should have a timeout in the routine that establishes the connection and does the handshake. Does it have such a timeout and is rsyslog not configuring it? or is it missing from gnuTLS? or is it just long enough to be a problem?
In addition, Rsyslog should have a timeout on trying to establish a connection, if it doesn't, that's a separate issue to be addressed.
David Lang
