HI,
On Mon, June 5, 2023 4:21 am, Rainer Gerhards wrote:
> Derek, Andre,
>
>> > There has been no change on nsd_ossl.c driver since January 2023, so I
>> > believe this is not related to the different rsyslog versions you are
>> > running.
>> > The warnings tell you, that there is no client certificate configured
>> > which
>> > can be ok but unusual in this setup. The get rid of them I would
>> recommend
>> > configuring a client certificate as well.
>>
>> I'm not using client-authentication, which is why there is no client
>> cert.
>> Not sure why you consider it "unusual". But that's not the error I am
>> concerned about.
>
> Derek: I agree and would actually say it is a common scenario.
In my case, I am just looking for confidentiality, not client
authentication. I know the server's CA cert so I can install that into
the clients.
> Andre: For that reason, I think we should at most emit an "info"
> message if it is not set. Not sure what the gtls driver does, but that
> doesn't really matter - it may need to be changed as well.
>
> Also: I think that when server side cert is in place, we are NOT
> limited to anon ciphers! The server provides its public key, and if I
> am not totally mistaken, that should be sufficient to use all ciphers,
> including async ones.
>
> Of course, without client cert, we have one-way anon traffic and
> cannot detect man in the middle.
>
> Am I wrong?
>
> Rainer
Andre,
>> Jun 1 12:56:33 ip-172-31-18-117 rsyslogd: SSL_ERROR_SYSCALL Error in
>> 'osslRecordRecv': 'error:00000005:lib(0):func(0):DH lib(5)' with ret=-1,
>> errno=104, sslapi='SSL_read' [v8.2208.0] Jun 1 12:56:33
>> ip-172-31-18-117
>> rsyslogd: netstream session
>> 0x7fe3f411f3b0 from <source> will be closed due to error [v8.2208.0] Jun
>> 1
>> 12:56:33 ip-172-31-18-117 rsyslogd: SSL_ERROR_SSL Error in
>> 'osslEndSess': 'error:00000001:lib(0):func(0):reason(1)(1)' with ret=-1,
>> errno=0, sslapi='SSL_shutdown' [v8.2208.0] Jun 1 12:56:33
>> ip-172-31-18-
>> 117 rsyslogd: nsd_ossl:OpenSSL Error Stack:
>> error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
>> [v8.2208.0] Jun 1 12:56:33 ip-172-31-18-117 rsyslogd: nsd_ossl: TLS
>> session
>> terminated successfully to remote syslog server '<source>' with SSL
>> Error
>> '-1': End Session [v8.2208.0]
>
> Is that from Server? I would expect an error about failed finding a shared
> cipher. That looks like a NON-TLS Connection attempt.
>
Yes, this is from the Server. It might be the same underlying issue,
errno 104.
Perhaps there was a firewall at the installation site that was blocking
packets?
-derek
--
Derek Atkins 617-623-3745
de...@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
