sry, just a terse reply, hopefully still useful: 8.24 is very old. I think it does not have the ability to do the detail configuration.
The rsyslog homepage (top right hand) lists project repos with current versions. No matter what you do to a config, rsyslog does not store anything of that persistently. So if you make a change and undo it, this will always work. As such it looks like you did not completely undo it or made some other changes which affect rsyslog outside it's config context. HTH Rainer El jue., 20 feb. 2020 a las 14:03, Moll, Marco via rsyslog (< [email protected]>) escribió: > Hi, > > I'm new to rsyslog and I'm trying to move forward on rsyslog due to a > security advisory. > I'm trying to achieve that rsyslog will no long accept ssl2, ssl3 or tls1 > and only accepts tls 1.2 > > I figured this would work: > module( > load="imtcp" > # see https://www.rsyslog.com/doc/v8-stable/concepts/ns_gtls.html > StreamDriver.Name="gtls" > StreamDriver.Mode="1" > StreamDriver.Authmode="x509/name" > # See > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#permittedpeer > # PermittedPeer=["*.enexis.nl"] > PermittedPeer=["*.xx.nl", "*.yy.com", "*.yy.com.crt"] > gnutlsPriorityString="Protocol=ALL,-SSLv2,-SSLv3,-TLSv1 > MinProtocol=TLSv1.2" > ) > input( > type="imtcp" > port="6518" > ) > > It did not, and I started seeing these errors in journal: > peer did not provide a certificate, not permitted to talk to it > [v8.24.0-34.el7 try http://www.rsyslog.com/e/2085 ] > netstream session 0x7f10e40e8d80 from 10.xx.xx.xx will be closed due to > error [v8.24.0-34.el7 try http://www.rsyslog.com/e/2089 ] > > > > I figured, well there is no change on the other end, so a rollback will > fix it. That would give me re-assurance that I can rollback any time. Since > we haven't tested that before. > It did not, and now I have a broken rsyslog server 🙂 > > Old config: > module( > load="imtcp" > # see https://www.rsyslog.com/doc/v8-stable/concepts/ns_gtls.html > StreamDriver.Name="gtls" > StreamDriver.Mode="1" > StreamDriver.Authmode="x509/name" > # See > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#permittedpeer > # PermittedPeer=["*.enexis.nl"] > PermittedPeer=["*.xx.nl", "*.yy.com", "*.yy.com.crt"] > ) > input( > type="imtcp" > port="6518" > ) > > > I don't have many things I can check, as there is only 1 service relying > on this. But that service is actually the only thing that's providing us > insight into network logs. Incidentally our SIEM uses that as input. > So I did do a small check on the certificates: > openssl s_client -connect syslog.xx.nl:6518 -CAfile tls-ca-bundle.pem > > SSL handshake has read 17073 bytes and written 338 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 966666C3F3245570181E11CB525457BAD70D3F0E208D0CED75361980B7935465 > Session-ID-ctx: > Master-Key: > 2570E3FEC0FEBCB661A213FC38EF685FBACEA796E31CDSADH78HDFG6ADDFD0FDE9788CFD4C43B101A307345EC66C5C5BC0 > Start Time: 1562755867 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > > > Trying the endpoint of this server always fails on the first certificate > in the chain, hence why I'm adding it into that command. > > And in the config it does specify certs that are needed: > global( > DefaultNetstreamDriver="gtls" > DefaultNetstreamDriverCAFile="/etc/rsyslog.d/tls-ca-bundle.pem" > DefaultNetstreamDriverCertFile="/etc/rsyslog.d/server.crt" > DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/server.key" > ) > > I believe the use of gnutlsprioritystring setting requires version 8.29 > We are running 8.24, however I do not see version 8.29 in the public yum > repos for centos7? I might be looking in the wrong place though. > > Since it is broken I would rather move forward in limiting connections to > just tls 1.2 instead of investing time into getting it rolled back to a > working state. But I guess that all depends on how easy moving forward goes. > Is there anyone who has tips on moving forward? > > Best regards, > > Marco Moll > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
