If you are going to upgrade, you are far better off going to 7.2 than 6.x
7.2 is still in support, for older versions, if you run into this sort of
problem you would have to go to RHEL or Solaris for support.
David Lang
On Thu, 1 Aug 2013, Truhn, Chad M CTR NSWCDD, CXA30 wrote:
Thanks for the response David, I was beginning to worry that no one was
going to have any ideas.
The Solaris box is x86. I went in and loaded the supplied keys from the
source package to make sure it wasn't a key issue and had the same
problem. I then stood up another RHEL6 box (rsyslog 5.8.10-6) and I was
able to successfully get them to talk over TLS. This rules out server
configuration error and I tried to copy the client configuration as
closely as I could. I also reversed the test and tried to send logs
from the Linux box to the Solaris box but again had issues. That was a
different problem, but I can't recall the error off of the top of my
head since I don't have my notes in front of me.
I plan to try two more things (today hopefully). 1) Stand up another
Solaris 10 (x86) box and see if I can send TLS encrypted messages from
Solaris -> Solaris. 2) Pull down a rsyslog 6 package from EPEL for the
RHEL box and see if that allows the Solaris system to play nice. I
don't know if I will get approval to update the package in production or
not, but it is worth testing.
Thanks again and let me know if you have any further ideas.
Chad
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, August 01, 2013 3:21 AM
To: rsyslog-users
Subject: Re: [rsyslog] Rsyslog with TLS woes
This is an area I don't know much about. Rainer is on vacation for
several weeks, hopefully Andre can take a look at this.
Is the Solaris system on Sparc or x86? If it's Sparc, I'd be very
suspicious of a endian related bug. If it was possible for you to do a
quick test between a Sparc and x86 Solaris box to see if that works or
not it would be interesting (if that fails, same version on each, just
the architecture difference, I would bet heavily on an endian bug)
David Lang
On Tue, 30 Jul 2013, Truhn, Chad M CTR NSWCDD, CXA30 wrote:
Date: Tue, 30 Jul 2013 11:26:52 -0400
From: "Truhn, Chad M CTR NSWCDD, CXA30" <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] Rsyslog with TLS woes
Hello All,
I am trying to get rsyslog working with TLS and I am having some
issues.
I am running a Red Hat 6 server (rsyslog 5.8.10-6) and a Solaris 11
client (rsyslog 6.2.0), both in -c5 compatibility mode. I have
verified that I am can send data unencrypted between these two
machines, but when I enable TLS I get:
rsyslogd: netstream session 0x7f938c01ad20 will be closed due to error
[try http://www.rsyslog.com/e/2078 ]
I followed the guide at
http://www.rsyslog.com/doc/rsyslog_secure_tls.html to get all of my
certificates and keys set up. I have tried re-creating the certs
again to make sure I don't have a typo and got the same results.
I then ran the rsyslogd process in debug mode to try to get more
information and this is what I get:
From the server (logserver):
unexpected GnuTLS error -9 in nsd_gtls.c:519: A TLS packet with
unexpected length was received.
From the client (sol11):
unexpected GnuTLS error -24 in
/builds/hudson/workspace/nightly-update/build/i386/components/rsyslog/
rs
yslog-6.2.0/runtime/nsd_gtls.c:1628: Decryption has failed.
The applicable lines in my config files are:
Server:
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /certs/ca.pem
$DefaultNetstreamDriverCertFile /certs/logserver-cert.pem
$DefaultNetstreamDriverKeyFile /certs/logserver-key.pem
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.mydomain
$InputTCPServerStreamDriverMode 1 $InputTCPServerRun 514
Client:
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /certs/ca.pem
$DefaultNetstreamDriverCertFile /certs/sol11-cert.pem
$DefaultNetstreamDriverKeyFile /certs/sol11-key.pem
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.mydomain
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
*.* @@logserver:514
Any ideas as to what I might be doing wrong? I can send along my full
config files or debug log if needed, but I didn't want to make this
message too long. I am also fairly stuck on what versions of rsyslog
I can run (must be supplied by vendor, RedHat/Oracle) but if this is a
bug in one of the versions or an issue with the version mismatch
between client and server I may be able to convince the right people
to update the minor revisions.
Thanks in advance!
Thank you,
Chad Truhn
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
