Re: [rsyslog] TLS still not receiving messages

[Masuda, Bond]

If you're getting gibberish in the logs on the TLS port, it usually means that 
the encrypted input isn't decrypted correct and gets written to file as junk. 
So, if that's what you're seeing, to me, I think there's a misconfiguration of 
the TLS for the gtls driver or the certs aren't setup correctly. Secondly, the 
s_client showing only CONNECT is a clear sign the TLS stuff isn't working; you 
should be seeing the TLS server certificate at least.

At this point, focus on the server side problem first and just verify with 
s_client. Just as example, when server TLS is working, this is what you see 
with s_client:

$ openssl s_client -connect aa.bb.cc.dd:10514
CONNECTED(00000003)
depth=0 C = US, ST = CA, O = Company, OU = Team, CN = 
cis-data-vip.corp.company.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = CA, O = Company, OU = Team, CN = 
cis-data-vip.corp.company.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = CA, O = Company, OU = Team, CN = 
cis-data-vip.corp.company.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/O=Company/OU=Team/CN=cis-data-vip.corp.company.com
   i:/C=US/ST=Califorina/L=San Diego/O=Company/OU=IIT/CN=company.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDMDCCApmgAwIBAgICJFEwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JpbmExEjAQBgNVBAcTCVNhbiBEaWVnbzEPMA0GA1UE
ChMGSW50dWl0MQwwCgYDVQQLEwNJSVQxEzARBgNVBAMTCmludHVpdC5jb20wHhcN
MTQwNjE2MTc1MDQ5WhcNMjQwNjEzMTc1MDQ5WjBhMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCQ0ExDzANBgNVBAoTBkludHVpdDENMAsGA1UECxMESVNJUzElMCMGA1UE
AxMcY2lzLWRhdGEtdmlwLmNvcnAuaW50dWl0Lm5ldDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMSB5vdlw5KpN1voTqSYxYmWsOt8hLNw9pg1orbIw0F8
wxetSLTYW56ELw783emeK1/P7k9bvUuWZLD8FhGvWLKfEu3uWWiUZCPFu/g/Jy1v
e5CLh30Gwk4EGMd1zcV1otFY5iAdQz9kuotDn9xcvoA/MQ0bLRoyfByRiCUM1gvh
zkkuI8JxeSK+a88V0y4AyXqY4AC7HxLa6jumJEdoJ9TFBh1PiwbDx8YgK0W7hSTy
5M2rJ2eQU9rEHsArOCovk+mCnMA+nAdWdxTSKBunihwuFYcjo7952fFHMGusipqx
NpOCXwjrvYav3YK3K9RaAXsv7ovETmKg7axHnGSpGV0CAwEAAaNqMGgwCQYDVR0T
BAIwADA8BglghkgBhvhCAQ0ELxYtSW50dWl0IEludGVybmFsIE9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSNOM8TlD8sRdV8utqGmLPg2AuA
QjANBgkqhkiG9w0BAQUFAAOBgQBD4Q2ZiDeesHBb6csrq9E63ZZjauxWZsqQrAeT
hP4VcOHngifYb0KJXDhhgcQS2y7uNMtEbdmHzP584nJbNuzpk8kcyTXoipKtZyim
v/tyc1HPK+GQWzjnJCWpiRfpfXxrhoS6ytFQgJKpl3Ub7DtHi7CNki9aJpUF9uHr
x/1RQg==
-----END CERTIFICATE-----
subject=/C=US/ST=CA/O=Company/OU=Team/CN=cis-data-vip.corp.company.com
issuer=/C=US/ST=Califorina/L=San Diego/O=Company/OU=IIT/CN=company.com
---
Acceptable client certificate CA names
/C=US/ST=Califorina/L=San Diego/O=Company/OU=IIT/CN=company.com
---
SSL handshake has read 1289 bytes and written 617 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : AES256-SHA
    Session-ID: 249F2F1DE82F47AE30C5415290582043EDE3FF3B39E5CBD7D22AC1D086C822DA
    Session-ID-ctx: 
    Master-Key: 
0A5B902A364A09C84364E054219AF0E90DB243CD3C8C83F6B95621B508793F97CB3785E52DDBFF2AAD5E053A900BA6D9
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1403894100
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Micah Yoder
Sent: Friday, June 27, 2014 10:44 AM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] TLS still not receiving messages

Thanks for the response. Kind of gets weirder.  First, I added the line
as you suggested to the server config; no difference.  I tried s_client
and I *do* get some stuff through to the server log, but it is
gibberish.  Still nothing from rsyslog client itself.  s_client does
show just CONNECT with nothing else, even when I specify the client
cert/key that is given to rsyslog.  Both that and the server cert were
generated from the same CA, though I wonder if I messed something up
somewhere with that.

On 6/27/14, 10:39 AM, Masuda, Bond wrote:
> Micah:
> 
> First, to test TLS connection and verify you've got it setup correctly, use 
> the "s_client" in openssl to connect to your TLS port. If it is working as 
> expected, you should see your certificate on the screen; if not, you'll just 
> see "CONNECTED" and not much else. If it isn't working as expected, then 
> troubleshoot further.
> 
> Looking over my own configurations, I recall that the only way I got it to 
> work was to still use the old configuration style, and include the following 
> statements:
> 
> $DefaultNetstreamDriver gtls
> 
> This was even though I had this for imtcp:
> 
> module( load="imtcp"
>         MaxSessions="1000"
>         StreamDriver.Name="gtls"
>         StreamDriver.Mode="1"
>         StreamDriver.AuthMode="anon")
> 
> Try including the $DefaultNetstreamerDriver statement and see if that works 
> (after you verify with openssl s_client that it isn't).
> 
> -Bond
> 
> --- you wrote: ---
> Hi,
> 
> I posted this earlier.  I noted that I had got a weird epoll error with
> the 8.2.1 RPM and that I had not received it with the git master branch,
> but that messages were still not coming through.
> 
> I just refreshed the git tree and switched to v8-stable. No epoll error
> but I'm not getting anything through.
> 
> I *think* my config is right.
> 
> Server:
> 
> # Provides TLS-encrypted TCP syslog reception
> module(load="imtcp" StreamDriver.name="gtls" MaxSessions="500")
> $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog.d/server.crt
> $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/server.key
> input(type="imtcp" port="1054")
> 
> Client:
> 
> $DefaultNetstreamDriver gtls
> $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog.d/client1.crt
> $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/client1.crt
> 
> action(type="omfwd"
>        Target="<IP redacted>"
>        Port="1054"
>        Protocol="tcp"
>        StreamDriverAuthMode="x509/name"
>        StreamDriverMode="1"
>       )
> 
> tcpdump does show packets getting to the server, but of course I can't
> tell what's in them.
> 
> Anything obviously wrong with the config?
> 
> Thanks!
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
> 

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.