IIRC librelp requires mutual authentication. Out of my head, there are two ways to avoid this:
1. use anon mode, but this means the server is also not checked 2. deploy the same cert to all clients and make the server accept it's fingerprint #2 exactly does what you want to do, but requries one more file (the client cert) to be deployed. PR's to enable server-only authentication are also happily accepted. Note that @alorbach did recently support openssl inside librelp, not sure if it provides natively what you ask for. HTH Rainer 2018-08-14 16:56 GMT+02:00 Lennard Klein via rsyslog <[email protected]>: > Hi, > > On 08/14/2018 03:07 PM, Stephan Seitz wrote: >> >> But this doesn't work. The server is requesting a client certificate. >> Okay, the client has one for its web server, but it seems I have to >> configure TLS.permittedpeer for the server as well. >> >> This means: >> - Every client needs a certificate which is simply not the case, and >> with hundreds of VMs no one is going to do this work. And these >> available certificates are only permitted for server uses, not for >> client authentication. > > I haven't checked, but it could be that these certificate extensions > aren't used by librelp, in which case this might be your solution. > >> - Every client has to be part of TLS.permittedpeer (okay, maybe I can >> use *.domain here). > > *.domain should work > >> >> In the end I want to have a client server configuration like you have >> for a web server. The client checks the server certificate, but no >> client certificate is needed. Is this possible? > > I believe with imrelp (technically: librelp) what you're describing is > not possible. This is also mentioned in an issue on github: > https://github.com/rsyslog/rsyslog/issues/435#issuecomment-326820750 > > If encryption is more important than reliability, I suppose an > alternative is using imtcp with a suitable netstream driver, like in > https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html. > > regards, > Lennard Klein > This email is from Equinix (EMEA) B.V. or one of its associated companies in > the territory from where this email has been sent. This email, and any files > transmitted with it, contains information which is confidential, is solely > for the use of the intended recipient and may be legally privileged. If you > have received this email in error, please notify the sender and delete this > email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, > 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. > 57577889. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
