This is an area I don't know much about. Rainer is on vacation for several
weeks, hopefully Andre can take a look at this.
Is the Solaris system on Sparc or x86? If it's Sparc, I'd be very suspicious of
a endian related bug. If it was possible for you to do a quick test between a
Sparc and x86 Solaris box to see if that works or not it would be interesting
(if that fails, same version on each, just the architecture difference, I would
bet heavily on an endian bug)
David Lang
On Tue, 30 Jul 2013, Truhn, Chad M CTR NSWCDD, CXA30 wrote:
Date: Tue, 30 Jul 2013 11:26:52 -0400
From: "Truhn, Chad M CTR NSWCDD, CXA30" <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] Rsyslog with TLS woes
Hello All,
I am trying to get rsyslog working with TLS and I am having some issues.
I am running a Red Hat 6 server (rsyslog 5.8.10-6) and a Solaris 11
client (rsyslog 6.2.0), both in -c5 compatibility mode. I have verified
that I am can send data unencrypted between these two machines, but when
I enable TLS I get:
rsyslogd: netstream session 0x7f938c01ad20 will be closed due to error
[try http://www.rsyslog.com/e/2078 ]
I followed the guide at
http://www.rsyslog.com/doc/rsyslog_secure_tls.html to get all of my
certificates and keys set up. I have tried re-creating the certs again
to make sure I don't have a typo and got the same results.
I then ran the rsyslogd process in debug mode to try to get more
information and this is what I get:
From the server (logserver):
unexpected GnuTLS error -9 in nsd_gtls.c:519: A TLS packet with
unexpected length was received.
From the client (sol11):
unexpected GnuTLS error -24 in
/builds/hudson/workspace/nightly-update/build/i386/components/rsyslog/rs
yslog-6.2.0/runtime/nsd_gtls.c:1628: Decryption has failed.
The applicable lines in my config files are:
Server:
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /certs/ca.pem
$DefaultNetstreamDriverCertFile /certs/logserver-cert.pem
$DefaultNetstreamDriverKeyFile /certs/logserver-key.pem
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.mydomain
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 514
Client:
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /certs/ca.pem
$DefaultNetstreamDriverCertFile /certs/sol11-cert.pem
$DefaultNetstreamDriverKeyFile /certs/sol11-key.pem
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.mydomain
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
*.* @@logserver:514
Any ideas as to what I might be doing wrong? I can send along my full
config files or debug log if needed, but I didn't want to make this
message too long. I am also fairly stuck on what versions of rsyslog I
can run (must be supplied by vendor, RedHat/Oracle) but if this is a bug
in one of the versions or an issue with the version mismatch between
client and server I may be able to convince the right people to update
the minor revisions.
Thanks in advance!
Thank you,
Chad Truhn
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
