When I run rsyslog server with priorityString "NONE:+VERS-TLS1.2:+SHA256:+DHE-RSA:+AES-128-CBC:+SIGN-ALL:+COMP-ALL:+MAC-ALL" and enable Rsyslog's GnuTLS debugging log (by recompile librelp), it shows DHE-RSA cipher got removed: DDDD: GnuTLS log msg, level 4: HSK[0x7f4a24002470]: Requested server name: '*******', ctype: X.509 (1)DDDD: GnuTLS log msg, level 3: ASSERT: gnutls_handshake.c:3376 DDDD: GnuTLS log msg, level 4: HSK[0x7f4a24002470]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA256 DDDD: GnuTLS log msg, level 3: ASSERT: gnutls_handshake.c:3376 DDDD: GnuTLS log msg, level 4: HSK[0x7f4a24002470]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1 DDDD: GnuTLS log msg, level 4: HSK[0x7f733c002470]: Requested cipher suites[size: 4]: DDDD: GnuTLS log msg, level 4: 0x00, 0x67 DHE_RSA_AES_128_CBC_SHA256 DDDD: GnuTLS log msg, level 4: 0x00, 0x33 DHE_RSA_AES_128_CBC_SHA1 ... 6940.328823397:imrelp.c : librelp: generic error: ecode 10039, emsg 'TLS handshake failed [gnutls error -21: Could not negotiate a supported cipher suite.]' 6940.328857045:imrelp.c : Called LogMsg, msg: imrelp[514]: error 'TLS handshake failed [gnutls error -21: Could not negotiate a supported cipher suite.]', object 'lstn 514: conn to clt 192.168.168.10/*****' - input may not work as intended rsyslogd: imrelp[514]: error 'TLS handshake failed [gnutls error -21: Could not negotiate a supported cipher suite.]', object 'lstn 514: conn to clt 192.168.168.10/****' - input may not work as intended [v8.24.0 try http://www.rsyslog.com/e/2353 ]
But when I debugging this issue with gnutls-serv + gnutls-cli, handshake successful. Server command: gnutls-serv -d 10 -r -p 514 --x509cafile path-to-ca.pem --x509keyfile path-to-key.pem --x509certfile path-to-cert.pem --priority "NONE:+VERS-TLS1.2:+SHA256:+DHE-RSA:+AES-128-CBC:+SIGN-ALL:+COMP-ALL:+MAC-ALL" Client command: gnutls-cli -d 10 -r -p 514 rsyslog-server-host-name --x509cafile path-to-ca.pem --x509keyfile path-to-key.pem --x509certfile path-to-cert.pem --priority "NONE:+VERS-TLS1.2:+SHA256:+DHE-RSA:+AES-128-CBC:+SIGN-ALL:+COMP-ALL:+MAC-ALL" Server log saids keeping cipher: |<4>| HSK[0xd1f440]: Requested server name: 'ex4000', ctype: X.509 (1)|<4>| HSK[0xd1f440]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) |<4>| HSK[0xd1f440]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) |<4>| HSK[0xd1f440]: Requested cipher suites[size: 4]: |<4>| 0x00, 0x67 DHE_RSA_AES_128_CBC_SHA256 |<4>| HSK[0xd1f440]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA256 Also if I run gnutls-serv at Rsyslog server side, and use Rsyslog sender to test the handshake, it successful as well. Does anyone know why DHE-RSA cipher got removed when use Rsyslog server? -- Sent from: http://rsyslog-users.1305293.n2.nabble.com/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
