Re: [rsyslog] Forcing openssl-1.1.1 on Centos7

Thu, 21 Jan 2021 03:32:18 -0800 

OK. It turned out I cannot read ;-)
But seriously - the docs state that chained certs should work with openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or something like that; is there such version at all? :-)) but you only get one ssl context. OK, that's fine by me. But even though I configured chained certs, I still get the server helo with only a single cert. Seems I'll have to dig deeper. 

Are there any caveats I should be aware of?

On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:

Sure. I can rebuild whole rsyslog package or just the RELP components :-)


I just wanted to avoid custom building altogether because that 
introduces another level of support burden on my side :-)


I can't understand one more thing though.


I'm trying to set up two different RELP inputs with two different CA 
certificates. In fact, I have at least three RELP inputs but it seems 
that all are obviously affected.



It seems that, unfortunately, with openssl-1.0.2 the certs, even 
though provided on a per-input basis configure main openssl context 
and only the "first ones" work. So even though I define different sets 
of certs for each input, I get the same certs bound to all inputs. Is 
it just a restriction of openssl-1.0.2 and there's no way around it? 
Or is it somehow "workaroundable" in 8.2012? (for now I only upgraded 
up to 8.2010 because it dind't force me to change my config).



I would very much like to avoid custom building so I'm starting to 
think about leaving rsyslog-based TLS encryption and just offloading 
it to stunnel. I'm not sure though if it won't raise new problems.



On 21/01/2021 10:30, Rainer Gerhards wrote:

you can always rebuild librelp yourself - that's the obvious solution...

My 2cts
Rainer

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to