The Cisco ASA is in fact using TLS, and until recent patches to address some IKE vulnerabilities had no issue with the client certificate request. Unfortunately now, when the server sends the client certificate requests, the ASA "breaks" and just stops transmitting, leaving a session hanging open on the server and does not send any data. The ASA will in fact repeatedly open a new connection without closing the first and end up causing several sessions to hang on the server side.
I honestly didn't delve into the uses of the client certificate in anon mode. What data do you use in this case? Thanks, Nathaniel -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Monday, May 02, 2016 2:23 PM To: rsyslog-users Subject: Re: [rsyslog] TLS Anon Patch are you sure the Cisco is supporting TLS, not just doing plaintext over TCP? If the client has a cert to offer, we still want to gather the data from it, even if we don't require validation. David Lang On Mon, 2 May 2016, Wingard, Nathaniel wrote: > Date: Mon, 2 May 2016 17:35:20 +0000 > From: "Wingard, Nathaniel" <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: "[email protected]" <[email protected]> > Subject: Re: [rsyslog] TLS Anon Patch > > Aparently I can't use my own email client... > > > I am using Rsyslog 8.18.0 and have several Cisco ASAs sending logs via TCP > TLS. > One of the recent patches to the Cisco IOS tends to cause the syslog > connection to break when the ASA receives a Client Certificate Request as > part of the TLS handshake. > > I am running rsyslog with the StreamDriver.AuthMode="anon" config. As such I > do not require the client certificate for anything. I have attached a patch > that I hope will be accepted into the mainline that disables the client > certificate request when in TLS "anon" mode. > > I don't see any side effects to this change, but my testing has been limited > to "Works for Me" as I don't have a very good testbench. > > Thanks, > Nathaniel > > > From: Wingard, Nathaniel > Sent: Monday, May 02, 2016 1:31 PM > To: '[email protected]' > Subject: TLS Anon Patch > > I am using Rsyslog 8.18.0 and have several Cisco ASAs sending logs via TCP > TLS. > One of the recent patches to the Cisco IOS tends to cause the syslog > connection to break when the ASA receives a Client Certificate Request as > part of the TLS handshake. > > I am running rsyslog with the following congi > ________________________________ > > This email message and any attachments may contain confidential, proprietary > or non-public information. The information is intended solely for the > designated recipient(s). If an addressing or transmission error has > misdirected this email, please notify the sender immediately and destroy this > email. Any review, dissemination, use or reliance upon this information by > unintended recipients is prohibited. Any opinions expressed in this email are > those of the author personally. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ________________________________ This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
