Hi,
I'm new to rsyslog and I'm trying to move forward on rsyslog due to a security
advisory.
I'm trying to achieve that rsyslog will no long accept ssl2, ssl3 or tls1 and
only accepts tls 1.2
I figured this would work:
module(
load="imtcp"
# see https://www.rsyslog.com/doc/v8-stable/concepts/ns_gtls.html
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/name"
# See
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#permittedpeer
# PermittedPeer=["*.enexis.nl"]
PermittedPeer=["*.xx.nl", "*.yy.com", "*.yy.com.crt"]
gnutlsPriorityString="Protocol=ALL,-SSLv2,-SSLv3,-TLSv1
MinProtocol=TLSv1.2"
)
input(
type="imtcp"
port="6518"
)
It did not, and I started seeing these errors in journal:
peer did not provide a certificate, not permitted to talk to it
[v8.24.0-34.el7 try http://www.rsyslog.com/e/2085 ]
netstream session 0x7f10e40e8d80 from 10.xx.xx.xx will be closed due to error
[v8.24.0-34.el7 try http://www.rsyslog.com/e/2089 ]
I figured, well there is no change on the other end, so a rollback will fix it.
That would give me re-assurance that I can rollback any time. Since we haven't
tested that before.
It did not, and now I have a broken rsyslog server 🙂
Old config:
module(
load="imtcp"
# see https://www.rsyslog.com/doc/v8-stable/concepts/ns_gtls.html
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/name"
# See
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#permittedpeer
# PermittedPeer=["*.enexis.nl"]
PermittedPeer=["*.xx.nl", "*.yy.com", "*.yy.com.crt"]
)
input(
type="imtcp"
port="6518"
)
I don't have many things I can check, as there is only 1 service relying on
this. But that service is actually the only thing that's providing us insight
into network logs. Incidentally our SIEM uses that as input.
So I did do a small check on the certificates:
openssl s_client -connect syslog.xx.nl:6518 -CAfile tls-ca-bundle.pem
SSL handshake has read 17073 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 966666C3F3245570181E11CB525457BAD70D3F0E208D0CED75361980B7935465
Session-ID-ctx:
Master-Key:
2570E3FEC0FEBCB661A213FC38EF685FBACEA796E31CDSADH78HDFG6ADDFD0FDE9788CFD4C43B101A307345EC66C5C5BC0
Start Time: 1562755867
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Trying the endpoint of this server always fails on the first certificate in the
chain, hence why I'm adding it into that command.
And in the config it does specify certs that are needed:
global(
DefaultNetstreamDriver="gtls"​
DefaultNetstreamDriverCAFile="/etc/rsyslog.d/tls-ca-bundle.pem"​
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/server.crt"​
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/server.key"​
)​
I believe the use of gnutlsprioritystring setting requires version 8.29
We are running 8.24, however I do not see version 8.29 in the public yum repos
for centos7? I might be looking in the wrong place though.
Since it is broken I would rather move forward in limiting connections to just
tls 1.2 instead of investing time into getting it rolled back to a working
state. But I guess that all depends on how easy moving forward goes.
Is there anyone who has tips on moving forward?
Best regards,
Marco Moll
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
