And... ladies and gentlemen... it's getting weirder and weirder.
I got focused on what's not working that missed the fact that on many
other rsyslog instances the chained certs seem to be working OK.
And here's where it gets confusing.
I have two different sites with a pretty identical config except for IPs
and certs.
One of those sites connects OK to a RELP receiver, another one - doesn't.
OK. So I try to do just plain openssl s_client -connect with a
certificate that I have for each machine.
For one machine it works - the client shows full certificate path
(Subject,Intermediate1,Root,Root), for the other one - the client shows
only the subject's certificate (whereas the file contains
Subject,Intermediate2,Root,Root).
But if i try and do openssl verify, each step of the chain does verify
properly.
So it's no wonder that if the remote end shows only its Subject
certificate without proper chain, the server responds with "go away, I
don't know your CA". That's pretty normal.
To make things even more confusing RELP input shows also only Subject
certificate in Server Hello message even though it does have the same
Intermediate1,Root,Root path as the working client.
As you can imagine, I'm going a bit bananas at the moment ;-)
Anyone ever had similar problem?
Mariusz Kruk
Ekspert ds. Bezpieczeństwa IT
COMP S.A.
Pion Cyberbezpieczeństwa i Zarządzania Ryzykiem
e-mail: [email protected]
e-mail: [email protected]
tel: +48 608 623 299
On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
OK. It turned out I cannot read ;-)
But seriously - the docs state that chained certs should work with
openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
something like that; is there such version at all? :-)) but you only
get one ssl context. OK, that's fine by me. But even though I
configured chained certs, I still get the server helo with only a
single cert. Seems I'll have to dig deeper.
Are there any caveats I should be aware of?
On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
Sure. I can rebuild whole rsyslog package or just the RELP components
:-)
I just wanted to avoid custom building altogether because that
introduces another level of support burden on my side :-)
I can't understand one more thing though.
I'm trying to set up two different RELP inputs with two different CA
certificates. In fact, I have at least three RELP inputs but it seems
that all are obviously affected.
It seems that, unfortunately, with openssl-1.0.2 the certs, even
though provided on a per-input basis configure main openssl context
and only the "first ones" work. So even though I define different
sets of certs for each input, I get the same certs bound to all
inputs. Is it just a restriction of openssl-1.0.2 and there's no way
around it? Or is it somehow "workaroundable" in 8.2012? (for now I
only upgraded up to 8.2010 because it dind't force me to change my
config).
I would very much like to avoid custom building so I'm starting to
think about leaving rsyslog-based TLS encryption and just offloading
it to stunnel. I'm not sure though if it won't raise new problems.
On 21/01/2021 10:30, Rainer Gerhards wrote:
you can always rebuild librelp yourself - that's the obvious
solution...
My 2cts
Rainer
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
