On 24.03.2021 23:54, odrzen wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, March 24, 2021 2:58 PM, Mariusz Kruk via rsyslog
<[email protected]> wrote:
[ --%< snipped %<--- ]
OK. With TLS it all gets tricky.
Firstly, to get it out of the way, you should not use the legacy config
directives. So instead of $InputTCPServerStreamDriverPermittedPeer you
should use a PermitedPeer option of an input(type="imtcp" [...])
directive and so on.
Yes you are right, I didn't notice that, because I already found the legacy
configuration on the central rsyslog machine and and it works..
-->
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#permittedpeer
But, is there any porting guide from "legacy" to "current" configuration ?
So, according to the following guides:
* https://www.rsyslog.com/doc/master/tutorials/tls.html#server-setup
*
https://www.rsyslog.com/doc/master/concepts/ns_ossl.html#supported-authentication-modes
all this central legacy configuration:
```
$ModLoad imtcp
$DefaultNetstreamDriver gtls
$InputTCPServerStreamDriverMode 1
$DefaultNetstreamDriverCAFile /etc/.../ca.pem
$DefaultNetstreamDriverCertFile /etc/.../client-cert.pem
$DefaultNetstreamDriverKeyFile /etc/.../client-key.pem
$InputTCPServerStreamDriverMode 1
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.domain.com
$InputTCPServerRun 6514
```
can it be replaced with the following configuration:
```
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)
# load TCP listener
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/name"
PermittedPeer=["*.example.domain.com", "*.prod.example.com"]
)
# start up listener at port 6514
input(
type="imtcp"
port="6514"
)
```
?
To be fully honest with you I don't have the time at the moment to check
the completness of this configuration but on the first glance looks more
or less OK. One thing - here you use gtls as stream driver whereas in
the paragraph below you say you're using openssl. It doesn't add up.
Having said that - as I wrote - TLS is a bit tricky because it works a
bit differently depending on the underlying TLS library and its version,
and some parameters can be a bit vague (like said PermittedPeer option
which, quoting from the docs, "<id-string> semantics depend on the
currently selected AuthMode and network stream driver
https://www.rsyslog.com/doc/master/concepts/netstrm_drvr.html.
PermittedPeer may not be set in anonymous modes. PermittedPeer may be
set either to a single peer or an array of peers either of type IP or
name, depending on the tls certificate").
Having multiple CAs is not that easy, and doesn't work with openssl
1.0.x AFAIR. So you might have to do a bit of reading.
Firstly - https://www.rsyslog.com/doc/master/tutorials/tls.html
Then - docs for the appropriate input/output modules
Finally you'd need some testing probably.
Thank you very much for this very interesting and important information!
Your note about the underlying TLS library and its version its very important
to to emphasize.
For example, according to you and for my current system - not currently
supported:
```
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
```
Yes, I struggled with OpenSSL 1.0.2k myself (CentOS7, I presume?)
In my case I needed the rsyslog server to be able to present a full
chained certificate and verify the peer's certificate with just a root
CA cert which is impossible with rsyslog with OpenSSL-1.0. It ended with
me rebuilding rsyslog packages to use OpenSSL-1.1 (openssl11-libs
package from EPEL).
Finally, note that the guide you sent me (which helps a lot) is:
"Written by Rainer Gerhards (2008-05-06)"
Could we try to renew it together ? ^_^'
The guide is still pretty current. The configuration is still done the
way it's described there. OK, it could use a bit of a stress on the fact
that some details of TLS are heavily dependent on the underlying TLS
library and you can run into some "quirks" with it.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
