Hi,
I've just found the problem! :D
I was generating all certificates with XCA, an openssl GUI, and this
software adds two special OIDs to the certificate:
Unknown extension 2.16.840.1.113730.1.1 (not critical):
ASCII: ...@
Hexdump: 03020640
Unknown extension 2.16.840.1.113730.1.13 (not critical):
ASCII: ..xca certificate
Hexdump: 160f786361206365727469666963617465
(certtool output, openssl does NOT output them)
If I remove this 'comment' (Netscape tab, comment field) from the tool and
regenerate the certificate, it works flawlessly. Maybe it's a bug with
gnutls, because this certificates with Apache, AD or OpenVPN work w/o
problems...
Hoping this helps somebody!
Saludos,
Carlos Fernández Manteiga <[email protected]>
On Thu, Apr 11, 2013 at 9:55 AM, Carlos Fdez <[email protected]> wrote:
> Thanks Rainer, but I don't think that's the problem. If I setup the same
> config without reception, local messages get sent, with reception even
> local messages are not sent.
>
> I verified the certs with certtool and openssl, and are OK :-(
>
> Is the config valid por receiving and sending simultaneosly?
>
> Thanks!
>
> Saludos,
>
> Carlos Fernández Manteiga <[email protected]>
>
>
> On Thu, Apr 11, 2013 at 9:45 AM, Rainer Gerhards <[email protected]
> > wrote:
>
>>
>>
>> > -----Original Message-----
>> > From: [email protected] [mailto:rsyslog-
>> > [email protected]] On Behalf Of Carlos Fdez
>> > Sent: Thursday, April 11, 2013 9:44 AM
>> > To: [email protected]
>> > Subject: [rsyslog] Fwd: Receiving logs via TCP/TLS and forwarding to
>> another
>> > rsyslog via TCP/TLS
>> >
>> > Hi,
>> >
>> > I'm trying to forward secure logs from a server that also receives, but
>> thats
>> > the debug I get:
>> >
>> > 1348.976447385:7f4f3acbd700: unexpected GnuTLS error -207 in
>> > nsd_gtls.c:202: Base64 unexpected header error.
>> This usually means there is some problem with your certificate files.
>> Unfortunately, GnuTLS is not more specific in its error messages.
>>
>> Rainer
>> > 1348.976470887:7f4f3acbd700: TCPSendInit FAILED with -2078.
>> > 1348.976497727:7f4f3acbd700: file netstrms.c released module
>> 'lmnsd_gtls',
>> > reference count now 0
>> > 1348.976501630:7f4f3acbd700: module 'lmnsd_gtls' has zero reference
>> count,
>> > unloading...
>> > 1348.976504192:7f4f3acbd700: Unloading module lmnsd_gtls
>> >
>> > This is the client/server config:
>> >
>> > ########################################
>> >
>> > $ModLoad imuxsock
>> > $ModLoad imklog
>> > $ModLoad immark
>> > $ModLoad imtcp
>> > $ModLoad imudp
>> >
>> > #### GLOBAL DIRECTIVES ####
>> >
>> > # Conexion por tls
>> > $DefaultNetstreamDriverCAFile /etc/pki/CA/certs/rootCA.crt
>> > $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.pem
>> > $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/cert.pem
>> > $DefaultNetstreamDriver gtls $ActionSendStreamDriverMode 1
>> > $ActionSendStreamDriverAuthMode x509/name
>> > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
>> > $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
>> > $InputTCPServerRun 64785 # start up listener at port 64785
>> >
>> >
>> > * /logs/log
>> >
>> > # Seguro TLS
>> > $WorkDirectory /logs/spool
>> > $ActionQueueFileName Secure
>> > $ActionQueueMaxDiskSpace 1g
>> > $ActionQueueSaveOnShutdown on
>> > $ActionQueueType LinkedList
>> > $ActionResumeRetryCount -1
>> > authpriv.*;auth.*;local5.* @@(o)server.domain.tld:10514
>> >
>> > ##########################################
>> >
>> > And this is the server config (server.domain.tld):
>> >
>> > ##########################################
>> >
>> > #### MODULES ####
>> >
>> > $ModLoad imuxsock
>> > $ModLoad imklog
>> > $ModLoad immark
>> > $ModLoad imtcp
>> > $ModLoad imudp
>> >
>> > #### GLOBAL DIRECTIVES ####
>> >
>> > # Conexion por tls/tcp
>> > $DefaultNetstreamDriverCAFile /etc/pki/CA/certs/rootCA.crt
>> > $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.pem
>> > $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/cert.pem
>> > $DefaultNetstreamDriver gtls $InputTCPServerStreamDriverMode 1 # run
>> > driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon #
>> > client is NOT authenticated $InputTCPServerRun 10514 # start up
>> listener at
>> > port 10514
>> >
>> > * /logs/log
>> > $IncludeConfig /etc/rsyslog.d/*.conf
>> >
>> > ##########################################
>> >
>> > If I remove the client/server certificate, leaving only the CA, the
>> forwarding
>> > of local messages works, with the certificate the cleint/server
>> receives, but
>> > do not send.
>> >
>> > Anybody knows about it?
>> >
>> > Thank you very much!
>> >
>> >
>> > Regards,
>> >
>> > Carlos Fernández Manteiga <[email protected]>
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
>> > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>> beyond
>> > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
