Hi, We are trying send data between two rsyslog using omrelp/imrelp in a secure encryption mode (cipher GCM)
Versions gnutls 3.3.17.1 openssl 1.0.2d librelp 1.2.7 rsyslog 8.12 Configuration (imrelp) #------------------------------------------------------------ global(workDirectory="/var/opt/rsyslog") global(defaultNetstreamDriver="gtls") global(maxMessageSize="1024k") module(load="imrelp") input(type="imrelp" port="515" tls="on" tls.prioritystring="NONE:+AES-256-GCM:+ECDHE-ECDSA:+AEAD:+COMP-NULL:+VERS-TLS1.2:+SIGN-ECDSA-SHA384:+CURVE-SECP384R1:+CTYPE-X509:%SERVER_PRECEDENCE" tls.myPrivKey="client-key.pem" tls.myCert="client-cert.pem" tls.authmode="fingerprint" tls.permittedpeer="SHA:XXXXXXXXXXXXXXXX" #------------------------------------------------------------ Sadly despite multiple tries with different gnutls/librelp/rsyslog combinations all have been unsuccessfull. Using gnutls-cli or openssl clients we see a garbage or encrypted reply for relp messages exchanged # gnutls-cli -p 515 --tofu --x509keyfile=client-key.pem --x509certfile=client-cert.pem myremotersyslog ... - Successfully sent 1 certificate(s) to server. |<1>| The hash size used in signature (32) is less than the expected (48) - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) - Session ID: 4F:57:71:45:68:E2:00:00:7F:02:62:E2:29:AE:3F:E7:13:C7:4A:7C:10:90:F8:DF:82:B7:86:EC:BC:59:E4:A4 - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Client Signature: ECDSA-SHA256 - Cipher: AES-128-GCM - MAC: AEAD - Compression: NULL - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: 1 open 85 relp_version=0 relp_software=librelp,1.2.7,http://librelp.adiscon.com commands=syslog 1 rsp 44 500 required command not supported by cq"�eB\0 serverclose 0 <===== *** Fatal error: The TLS connection was non-properly terminated. *** Server has terminated the connection abnormally. The rsyslog debug log shows 9651.864698114:imrelp.c : librelp: epoll_set_events sock 1, target bits 01, current 01 9651.864713735:imrelp.c : librelp: doing epoll_wait 9662.329544895:imrelp.c : librelp: done epoll_wait, nEvents:1 9662.329596582:imrelp.c : relp session read 25 octets, buf '1 open 85 relp_v���%O��)C' <===== 9662.329617474:imrelp.c : librelp: epoll_set_events sock 1, target bits 01, current 01 9662.329626292:imrelp.c : librelp: doing epoll_wait 9662.369502623:imrelp.c : librelp: done epoll_wait, nEvents:1 9662.369537074:imrelp.c : relp session read 55 octets, buf 'relp_software=librelp,1.2.7,http://librelp.adiscԴ <http://librelp.xn--adisc-1eg>�d|' 9662.369555212:imrelp.c : librelp: epoll_set_events sock 1, target bits 01, current 01 9662.369563723:imrelp.c : librelp: doing epoll_wait 9664.041598193:imrelp.c : librelp: done epoll_wait, nEvents:1 9664.041631932:imrelp.c : relp session read 16 octets, buf 'commands=syslog ' 9664.041643193:imrelp.c : relp engine is dispatching frame with command 'open' 9664.041648694:imrelp.c : in open command handler 9664.041658777:imrelp.c : processing client offer 'relp_v���%O��)Crelp_software' <===== 9664.041664148:imrelp.c : ignoring unknown client offer 'relp_v���%O��)Crelp_software' <===== 9664.041685579:imrelp.c : librelp: TLS send returned 54 9664.041692599:imrelp.c : in destructor: sendbuf 0x6d8180 9664.041704667:imrelp.c : relp session 1 iRet 10026, tearing it down 9664.041710516:imrelp.c : librelp: delete sock 1 from epoll set 9664.041718785:imrelp.c : hint-frame to send: '0 serverclose 0 If we change cipher, for example to AES-256-CBC it works as expected. Any ideas on this issue ? our plateform is SLES11 SP3 but result are identical on SLES12 and the default version packages. Best regards, Lionel _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
