Hi folks, I added the tls.permittedpeer part and had similar errors produced,
input(type="imrelp" port="2514" maxDataSize="8k" tls="on" tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" tls.myCert="/etc/rsyslog.d/ssl/server.crt" tls.myPrivKey="/etc/rsyslog.d/ssl/server.key" tls.permittedpeer=["*be.local", "*.oob.intra", "*.intra"] ) 2018-12-07T14:48:45.173348+01:00 3005 rsyslogd: [origin software="rsyslogd" swVersion="8.39.0" x-pid="4636" x-info="http://www.rsyslog.com";] start 2018-12-07T14:48:45.384140+01:00 3005 rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -54: Error in the pull function.]', object 'lstn 2514: conn to clt 192.168.101.34/2450.oob.intra' - input may not work as intended [v8.39.0 try http://www.rsyslog.com/e/2353 ] 2018-12-07T14:48:45.384156+01:00 3005 rsyslogd: imrelp[2514]: error 'TLS record write failed [gnutls error -10: The specified session has been invalidated for some reason.]', object 'lstn 2514: conn to clt 192.168.101.34/2450.oob.intra' - input may not work as intended [v8.39.0 try http://www.rsyslog.com/e/2353 ] > -----Original Message----- > From: rsyslog [mailto:[email protected]] On Behalf Of > sophie.loewenthal--- via rsyslog > Sent: Thursday, December 06, 2018 4:07 PM > To: Flo Rance > Cc: LOEWENTHAL Sophie; rsyslog-users > Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates > > I got this: > > 2018-12-06T15:38:59.909637+01:00 s3005 rsyslogd: imrelp[2514]: > authentication error 'peer did not provide a certificate', peer is '' > [v8.39.0 try > http://www.rsyslog.com/e/2353 ] > 2018-12-06T15:38:59.909646+01:00 s3005 rsyslogd: imrelp[2514]: error 'TLS > handshake failed [gnutls error -43: Error in the certificate.]', object > 'lstn 2514: > conn to clt ::1/localhost' - input may not work as intended [v8.39.0 try > http://www.rsyslog.com/e/2353 ] > > Best wishes, > Sophie > > From: Flo Rance [mailto:[email protected]] > Sent: Thursday, December 06, 2018 4:03 PM > To: LOEWENTHAL Sophie > Cc: rsyslog-users > Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates > > Oh, and you didn't provide any "tls.permittedpeer=["..."]" so the next error > that > you should see on the server side is something like: > > rsyslogd: imrelp[2514]: authentication error 'non-permited fingerprint', peer > is > '�� r� ' > rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -43: Error > in the > certificate.]', object 'lstn 2514: conn to clt .... > > Regards, > Flo > > On Thu, Dec 6, 2018 at 3:47 PM [email protected] > <[email protected]> wrote: > Little more info whilst I was looking: > > > The rsyslog.conf configuration, > > The CLIENT has > action( > type="omrelp" > target="a-be-s3005-msl" > port="2514" > tls="on" > tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" > tls.myCert="/etc/rsyslog.d/ssl/client.crt" > tls.myPrivKey="/etc/rsyslog.d/ssl/client.key" > > The SERVER has > input( > type="imrelp" > port="2514" > maxDataSize="8k" > tls="on" > tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" > tls.myCert="/etc/rsyslog.d/ssl/server.crt" > tls.myPrivKey="/etc/rsyslog.d/ssl/server.key" > ) > > > CLIENT connects to server and gets this, > # openssl s_client -connect be-s3005-msl:2514 -CAfile company-ca.crt -cert > client.crt -key client.key > CONNECTED(00000003) > 140081314850704:error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 289 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1544107265 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > This message and any attachments (the "message") is > intended solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since the > internet > cannot guarantee the integrity of this message which may not be reliable, BNP > PARIBAS > (and its subsidiaries) shall not be liable for the message if modified, > changed or > falsified. > Do not print this message unless it is necessary, consider the environment. > > -------------------------------------------------------------------------------------------------- > -------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de > ce message qui n'est pas conforme a sa destination, toute diffusion ou toute > publication, totale ou partielle, est interdite. L'Internet ne permettant pas > d'assurer > l'integrite de ce message electronique susceptible d'alteration, BNP Paribas > (et ses filiales) decline(nt) toute responsabilite au titre de ce message dans > l'hypothese > ou il aurait ete modifie, deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
