Oh, and you didn't provide any "tls.permittedpeer=["..."]" so the next error that you should see on the server side is something like:
rsyslogd: imrelp[2514]: authentication error 'non-permited fingerprint', peer is '�� r� ' rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -43: Error in the certificate.]', object 'lstn 2514: conn to clt .... Regards, Flo On Thu, Dec 6, 2018 at 3:47 PM [email protected] < [email protected]> wrote: > Little more info whilst I was looking: > > > The rsyslog.conf configuration, > > The CLIENT has > action( > type="omrelp" > target="a-be-s3005-msl" > port="2514" > tls="on" > tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" > tls.myCert="/etc/rsyslog.d/ssl/client.crt" > tls.myPrivKey="/etc/rsyslog.d/ssl/client.key" > > The SERVER has > input( > type="imrelp" > port="2514" > maxDataSize="8k" > tls="on" > tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" > tls.myCert="/etc/rsyslog.d/ssl/server.crt" > tls.myPrivKey="/etc/rsyslog.d/ssl/server.key" > ) > > > CLIENT connects to server and gets this, > # openssl s_client -connect be-s3005-msl:2514 -CAfile company-ca.crt -cert > client.crt -key client.key > CONNECTED(00000003) > 140081314850704:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:794: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 289 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1544107265 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > This message and any attachments (the "message") is > intended solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its > purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since > the internet > cannot guarantee the integrity of this message which may not be reliable, > BNP PARIBAS > (and its subsidiaries) shall not be liable for the message if modified, > changed or falsified. > Do not print this message unless it is necessary, consider the environment. > > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation > de > ce message qui n'est pas conforme a sa destination, toute diffusion ou > toute > publication, totale ou partielle, est interdite. L'Internet ne permettant > pas d'assurer > l'integrite de ce message electronique susceptible d'alteration, BNP > Paribas > (et ses filiales) decline(nt) toute responsabilite au titre de ce message > dans l'hypothese > ou il aurait ete modifie, deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
