Hi All, I'm struggling for some time getting rsyslog tls to be tested with ssl.CERT_REQUIRED or SSL.CERT_OPTIONAL, so I'm just testing with ssl.CERT_NONE I am getting " error: peer name not authorized - not permitted to talk to it ". Please advise if the issue which I'm experiencing with rsyslog v8.34 could be related to https://kb.monitorware.com/tcp-tls-peer-name-not-authorized-t1771-15.html ?
I also tried with StreamDriver.authmode="anon" but I got " unexpected GnuTLS error -9 in nsd_gtls.c:545: A TLS packet with unexpected length was received. [v8.34.0 try http://www.rsyslog.com/e/2078 ]" netstat -nap|grep rsyslog tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 8085/rsyslogd tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 8085/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 8085/rsyslogd 2018 May 7 20:02:02 ip-10-162-71-47 [origin software="rsyslogd" swVersion="8.34.0" x-pid="8085" x-info="http://www.rsyslog.com";] start 2018 May 7 20:02:19 ip-10-162-71-47 error: peer name not authorized - not permitted to talk to it. Names: DNSname: log.mydomain.org; DNSname: myserver.mydomain.org; CN: log.mydomain.org; [v8.34.0 try http://www.rsyslog.com/e/2088 ] 2018 May 7 20:02:19 ip-10-162-71-47 netstream session 0x7fde800139f0 from 10.162.71.150 will be closed due to error [v8.34.0 try http://www.rsyslog.com/e/2089 ] Here is my current config to support TLS: global( defaultNetstreamDriver="gtls" #defaultNetstreamDriverCaFile="/opt/rsyslog/certs/MYDOMAIN_ROOT.pem" defaultNetstreamDriverCaFile="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" defaultNetstreamDriverCertFile="/opt/rsyslog/certs/log_mydomain.pem" defaultNetstreamDriverKeyFile="/opt/rsyslog/certs/log-key.pem" ) module( load="imtcp" StreamDriver.mode="1" StreamDriver.authmode="x509/name" #Test1 #StreamDriver.authmode="anon" #test2 permittedPeer="10.162.71.150,*.org,awslxserver.dev.aws.mydomain.org,*.*" #PermittedPeer="*.* [*.com]" ) input(type="imtcp" port="514") Please advise if 1) the above rsyslog configuration needs to be updated and 2) how could I test sending tls messages to rsyslog server with tls enabled? Thanks. Mike ------------------ Here is the python code I tried to test the sending the rsyslog message: #!/usr/bin/python3 import socket import ssl import sys import argparse #import requests #from requests.utils import DEFAULT_CA_BUNDLE_PATH import os import json import time import logging import logging.handlers import traceback import hashlib import fcntl cacert_pem_path = "/etc/ssl/certs" my_keyfile = "/opt/rsyslog/certs/log-key.pem" my_certfile = "/opt/rsyslog/certs/log_mydomain.pem" os.environ["REQUESTS_CA_BUNDLE"] = cacert_pem_path server_url='awslxserver.dev.aws.mydomain.org' #server_url='localhost' port=514 data='test-5-7-2018' output_type='tcp+tls' #print(DEFAULT_CA_BUNDLE_PATH) context = ssl.SSLContext(ssl.PROTOCOL_TLS) #context.load_cert_chain(my_certfile,keyfile=None,password=None) context.load_cert_chain(my_certfile,keyfile=my_keyfile,password=None) #CERT_NONE, CERT_OPTIONAL or CERT_REQUIRED. context.verify_mode = ssl.CERT_NONE context.check_hostname = False context.load_verify_locations(cafile=None,capath="/etc/ssl/certs",cadata=None) #context.load_verify_locations(cafile=cacert_pem_path,capath=None,cadata=None) context.load_default_certs() unsecured_client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket = context.wrap_socket(unsecured_client_socket,server_side=False,do_handshake_on_connect=True,suppress_ragged_eofs=True, server_hostname=server_url) client_socket.connect((server_url, port)) client_socket.send(data.encode("utf-8")) Confidentiality Notice:: This email, including attachments, may include non-public, proprietary, confidential or legally privileged information. If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
