2016-03-29 11:50 GMT+02:00 Elmopi, Stefano <[email protected]>: > Hi, > > thanks for the reply. So with CentOS 6.6, without recompiling librelp, can > I not configure TLS ?? Even if you install an earlier version of rsyslog ?? > I tried to configure the module imtcp with TLS but it still has to be in > error also with the option anonymous TLS !!!
If you just use tls="on" and no other TLS parameters, this works. I have done it 5 minutes ago ;) > In short, without recompilation, is there no option to configure TLS on > CentOS 6.6 ?? But... I am working on this case https://github.com/rsyslog/rsyslog/issues/907 which shows that CentOS 6 requires a patch to librelp because it's version of GnuTLS needs libgcrypt. The patch is upcoming and will lead to a new release of librelp within the next days. Rainer > > Best Regard > > Message: 29 > Date: Thu, 24 Mar 2016 13:18:15 +0100 > From: "Elmopi, Stefano" <[email protected]> > To: [email protected] > Subject: [rsyslog] Problem with RELP TLS > Message-ID: > <caaldbuedjtbtuchaxao2tij-bdlmgo883c2g3cvhp-pidy4...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Hi, > I installed rsyslog on CentOS 6.6, these are the installed packages: > rsyslog-8.17.0-1.el6.x86_64 > rsyslog-mysql-8.17.0-1.el6.x86_64 > rsyslog-gnutls-8.17.0-1.el6.x86_64 > rsyslog-snmp-8.17.0-1.el6.x86_64 > rsyslog-relp-8.17.0-1.el6.x86_64 > librelp-1.2.9-1.el6.x86_64 > gnutls-2.8.5-19.el6_7.x86_64 > > and I would like to configure Relp with TLS: > > input(type="imrelp" name="TCP_Collector" ruleset="Collector" port="20514" > tls="on" > tls.caCert="/etc/pki/rsyslog/CA/CA_Collaudo.crt" > tls.myCert="/etc/pki/rsyslog/Certs/sys01devpom.sociale.it.crt" > tls.myPrivKey="/etc/pki/rsyslog/Key/sys01devpom.sociale.it.pem" > tls.authMode="name" > tls.permittedpeer=["*.sociale.it"] > ) > > > but when I start rsyslog, read in the log file: > > rsyslogd-2291: imrelp: could not activate relp listner, code 10046 [v8.17.0 > try http://www.rsyslog.com/e/2291 ] > > only this line and nothing else. > I made many tests and searched a lot on Google but nothing, I found no > solution > Thanks for your help > > > Best Regards > > > Ing. Stefano Elmopi > Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio > Via Ostiense 131/L Corpo B, 00154 Roma > > cell. 3466147165 > tel. 0657060500 > > email:[email protected] > > -- > "Ai sensi e per gli effetti della legge sulla tutela dei dati personali > (D.lgs 196/2003), > le informazioni contenute nella presente @mail sono di natura riservata e > destinate > ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; > come tali, > pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' > proibito leggere, > copiare, usare o diffondere il contenuto della presente @mail senza > autorizzazione. > Se avete ricevuto questa @mail per errore, siete pregati di rispedire la > stessa al mittente. > Grazie" > > > ------------------------------ > > Message: 30 > Date: Thu, 24 Mar 2016 14:52:54 +0100 > From: Rainer Gerhards <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] Problem with RELP TLS > Message-ID: > <cadk+mpcnxtmgp1oi0iq7p1qmv5rcqv-hp7e_m2cmpwfapnk...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > 2016-03-24 13:18 GMT+01:00 Elmopi, Stefano <[email protected]>: >> Hi, >> I installed rsyslog on CentOS 6.6, these are the installed packages: >> rsyslog-8.17.0-1.el6.x86_64 >> rsyslog-mysql-8.17.0-1.el6.x86_64 >> rsyslog-gnutls-8.17.0-1.el6.x86_64 >> rsyslog-snmp-8.17.0-1.el6.x86_64 >> rsyslog-relp-8.17.0-1.el6.x86_64 >> librelp-1.2.9-1.el6.x86_64 >> gnutls-2.8.5-19.el6_7.x86_64 >> >> and I would like to configure Relp with TLS: >> >> input(type="imrelp" name="TCP_Collector" ruleset="Collector" port="20514" >> tls="on" >> tls.caCert="/etc/pki/rsyslog/CA/CA_Collaudo.crt" >> tls.myCert="/etc/pki/rsyslog/Certs/sys01devpom.sociale.it.crt" >> tls.myPrivKey="/etc/pki/rsyslog/Key/sys01devpom.sociale.it.pem" >> tls.authMode="name" >> tls.permittedpeer=["*.sociale.it"] >> ) >> >> >> but when I start rsyslog, read in the log file: >> >> rsyslogd-2291: imrelp: could not activate relp listner, code 10046 > [v8.17.0 >> try http://www.rsyslog.com/e/2291 ] > > >From librelp: > #define RELP_RET_ERR_NO_TLS_AUTH RELPERR_BASE + 46 /**< platform > does not provide TLS auth support */ > > So it looks like CentOS 6.6 does not offer a recent enough version of > GnuTLS to support TLS authentication. Some of the APIs we need are > missing. I remember we implemented a work-around to at least support > anonymous TLS for such platforms. > > You can solve this by installing a new GnuTLS version and building > librelp (and possibly rsyslog) from source. > > As a side note, the same information is present in the link rsyslog > gave in the error message ;) > > HTH > Rainer > > > > Ing. Stefano Elmopi > Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio > Via Ostiense 131/L Corpo B, 00154 Roma > > cell. 3466147165 > tel. 0657060500 > > email:[email protected] > > -- > "Ai sensi e per gli effetti della legge sulla tutela dei dati personali > (D.lgs 196/2003), > le informazioni contenute nella presente @mail sono di natura riservata e > destinate > ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; > come tali, > pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' > proibito leggere, > copiare, usare o diffondere il contenuto della presente @mail senza > autorizzazione. > Se avete ricevuto questa @mail per errore, siete pregati di rispedire la > stessa al mittente. > Grazie" > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
