Yes, the TLS session gets established but , if we add the debug to the config , shared earlier, it does not even start the TCP handshake .
On Mon, Jun 20, 2022 at 1:22 PM Mariusz Kruk via rsyslog < rsyslog@lists.adiscon.com> wrote: > This time you included debug log from rsyslogd creating the merged > config, not the actual config itself. > > Anyway, the PCAP is interesting. > > Because it shows two separate TLS-based connections which are > negotiated, then there is some data pushed through the encrypted channel > but the connections are not finished. > > I assume these are not the first connections because the pre-shared key > has already been established and the sessions are now established in a > "quick way" (without verifying certs again). > > So it does seem as if the TLS connection as such was being established > indeed. > > On 20.06.2022 18:08, Abhinav Bhatia via rsyslog wrote: > > Sorry, below are the attached files, effective config from client side > and > > wireshark of the working scenario. > > > > On Mon, Jun 20, 2022 at 11:41 AM Mariusz Kruk via rsyslog < > > rsyslog@lists.adiscon.com> wrote: > > > >> OK. Now we're getting somewhere ;-) > >> > >> So you're trying to do TLS-enabled forwarding between "client" rsyslogd > >> and "server" rsyslogd. > >> > >> Unfortunately, you didn't post the whole config from the client - the > >> config relies on some included files which are not attached. > >> > >> You can get the resulting config as rsyslog sees it by calling > >> > >> rsyslogd -N1 -o /tmp/rsyslogd_effective.conf > >> > >> It seems you forgot the wireshark snapshot as well. > >> > >> On 20.06.2022 17:34, Abhinav Bhatia via rsyslog wrote: > >>> Yes. But what functionality with TLS is or is not working? Input? > Output? > >>> > >>> > >>> *I have a client running rsyslogd , sending syslogs to server. I am > using > >>> syslog() to send syslogs.When I run version 8.2108 with TLS , I see the > >>> messages sent from client on wireshark (snapshot attched). But If I > >> enable > >>> debug I do not see anything on Wireshark going out from client side, * > >>> > >>> What's your config? > >>> *Attached are the configs from cleint and server.* > >>> > >>> What are the symptoms of "not working"? Does your side terminate the > TLS > >>> connection with some error? Does the other side terminate it? > >>> *I think the client does not start the connection. * > >>> > >>> Does it work again if you downgrade the rsyslog back to 8.2108? > >>> *Yes If I downgrade to 8.2108 , rsyslogd with TLS is working (NO Debug > >>> enabled)* > >>> > >>> On Mon, Jun 20, 2022 at 11:06 AM Mariusz Kruk via rsyslog < > >>> rsyslog@lists.adiscon.com> wrote: > >>> > >>>> Yes. But what functionality with TLS is or is not working? Input? > >> Output? > >>>> What's your config? > >>>> > >>>> What are the symptoms of "not working"? Does your side terminate the > TLS > >>>> connection with some error? Does the other side terminate it? > >>>> > >>>> Did you try tcpdumping the TLS connection? > >>>> > >>>> Does it work again if you downgrade the rsyslog back to 8.2108? > >>>> > >>>> On 20.06.2022 16:59, Abhinav Bhatia wrote: > >>>>> Hi Mariusz, > >>>>> > >>>>> Thank you for quick reply, > >>>>> > >>>>> *Version* > >>>>> > >>>>> > >>>>> > >>>>> *No TLS* > >>>>> > >>>>> > >>>>> > >>>>> *TLS with Debug enabled* > >>>>> > >>>>> > >>>>> > >>>>> *TLS with debug disabled* > >>>>> > >>>>> 8.2108.0 > >>>>> > >>>>> > >>>>> > >>>>> Working > >>>>> > >>>>> > >>>>> > >>>>> Not Working > >>>>> > >>>>> > >>>>> > >>>>> Working > >>>>> > >>>>> 8.2204.0 > >>>>> > >>>>> > >>>>> > >>>>> Working > >>>>> > >>>>> > >>>>> > >>>>> Not Working > >>>>> > >>>>> > >>>>> > >>>>> Not Working > >>>>> > >>>>> Logs I shared with you were of version 8.2108.0 , TLS with Debug > >> enabled. > >>>>> > >>>>> Thank you, > >>>>> > >>>>> > >>>>> On Mon, Jun 20, 2022 at 10:38 AM Mariusz Kruk via rsyslog > >>>>> <rsyslog@lists.adiscon.com> wrote: > >>>>> > >>>>> OK. But _what_ is working or not working? Because quick glance > >>>>> over the > >>>>> the debug file you attached doesn't show anything TLS-related. > >>>>> > >>>>> Or even any other input module other than imuxsock or imklog. > So > >>>>> maybe > >>>>> it's that your omfwd action is supposed to be TLS-enabled. But > we > >>>>> don't > >>>>> see any streamdriver config in this debug. > >>>>> > >>>>> On 20.06.2022 16:27, Abhinav Bhatia via rsyslog wrote: > >>>>> > Hi , > >>>>> > > >>>>> > I was using rsyslogd (version 8.2108.0.master) with TLS which > >>>>> was working > >>>>> > fine. Then I upgraded to 8.2204.0.master and syslog with TLS > >>>> stopped > >>>>> > working, over UDP works fine. > >>>>> > > >>>>> > Along with rsyslod I upgraded the curl 7.79.0-DEV to > 7.83.1-DEV > >>>>> , and > >>>>> > Nettle from 3.1.1 to 3.7.1. > >>>>> > > >>>>> > To debug the issue I enabled the logs with version 8.2108.0 > via > >>>>> > rsyslog.conf. Issue is when I enable logs I do not see any > TLS > >>>>> data sent to > >>>>> > the server (attached logs). however if I do not enable debug > in > >>>>> conf file > >>>>> > it works fine. > >>>>> > > >>>>> > Below are the lines added for debugging is syslog.conf: > >>>>> > > >>>>> > $DebugFile /var/log/rsyslog.debug > >>>>> > $DebugLevel 2 > >>>>> > > >>>>> > Thank you ! > >>>>> > > >>>>> > _______________________________________________ > >>>>> > rsyslog mailing list > >>>>> > https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> > http://www.rsyslog.com/professional-services/ > >>>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by > >>>>> a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > >>>>> NOT POST if you DON'T LIKE THAT. > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com/professional-services/ > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by a > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > NOT > >>>>> POST if you DON'T LIKE THAT. > >>>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>> DON'T LIKE THAT. > >>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > >> you DON'T LIKE THAT. > >> _______________________________________________ > >> rsyslog mailing list > >> https://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > >> > >> _______________________________________________ > >> rsyslog mailing list > >> https://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
