Let me jump into the discussion, for OpenSSL 1.1.0 and higher we can use "SSL_use_certificate_chain_file" to set the certificate chain file and apply it to the SSL Context. For OpenSSL 1.0.2, we only can load the chained certificate if we use "SSL_CTX_load_verify_locations" which loads the configured certificate only if NO CA certificate is configured.
I am not sure if this has been properly documented yet, if not I will have this done ASAP. Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: www.adiscon.com - Mail: [email protected] Informations regarding your data privacy policy can be found here: https://www.adiscon.com/data-privacy-policy/ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte Weitergabe dieser E-Mail sind nicht gestattet. > -----Ursprüngliche Nachricht----- > Von: rsyslog <[email protected]> Im Auftrag von Mariusz > Kruk via rsyslog > Gesendet: Donnerstag, 21. Januar 2021 15:07 > An: [email protected] > Cc: Mariusz Kruk <[email protected]> > Betreff: Re: [rsyslog] Forcing openssl-1.1.1 on Centos7 > > And... ladies and gentlemen... it's getting weirder and weirder. > > I got focused on what's not working that missed the fact that on many > other > rsyslog instances the chained certs seem to be working OK. > > And here's where it gets confusing. > > I have two different sites with a pretty identical config except for IPs > and > certs. > > One of those sites connects OK to a RELP receiver, another one - doesn't. > > OK. So I try to do just plain openssl s_client -connect with a certificate > that I > have for each machine. > > For one machine it works - the client shows full certificate path > (Subject,Intermediate1,Root,Root), for the other one - the client shows > only > the subject's certificate (whereas the file contains > Subject,Intermediate2,Root,Root). > > But if i try and do openssl verify, each step of the chain does verify > properly. > > So it's no wonder that if the remote end shows only its Subject > certificate > without proper chain, the server responds with "go away, I don't know your > CA". That's pretty normal. > > To make things even more confusing RELP input shows also only Subject > certificate in Server Hello message even though it does have the same > Intermediate1,Root,Root path as the working client. > > As you can imagine, I'm going a bit bananas at the moment ;-) > > Anyone ever had similar problem? > > Mariusz Kruk > Ekspert ds. Bezpieczeństwa IT > COMP S.A. > Pion Cyberbezpieczeństwa i Zarządzania Ryzykiem > e-mail: [email protected] > e-mail: [email protected] > tel: +48 608 623 299 > > On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote: > > OK. It turned out I cannot read ;-) > > > > But seriously - the docs state that chained certs should work with > > openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or > > something like that; is there such version at all? :-)) but you only > > get one ssl context. OK, that's fine by me. But even though I > > configured chained certs, I still get the server helo with only a > > single cert. Seems I'll have to dig deeper. > > > > Are there any caveats I should be aware of? > > > > On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote: > >> Sure. I can rebuild whole rsyslog package or just the RELP components > >> :-) > >> > >> I just wanted to avoid custom building altogether because that > >> introduces another level of support burden on my side :-) > >> > >> I can't understand one more thing though. > >> > >> I'm trying to set up two different RELP inputs with two different CA > >> certificates. In fact, I have at least three RELP inputs but it seems > >> that all are obviously affected. > >> > >> It seems that, unfortunately, with openssl-1.0.2 the certs, even > >> though provided on a per-input basis configure main openssl context > >> and only the "first ones" work. So even though I define different > >> sets of certs for each input, I get the same certs bound to all > >> inputs. Is it just a restriction of openssl-1.0.2 and there's no way > >> around it? Or is it somehow "workaroundable" in 8.2012? (for now I > >> only upgraded up to 8.2010 because it dind't force me to change my > >> config). > >> > >> I would very much like to avoid custom building so I'm starting to > >> think about leaving rsyslog-based TLS encryption and just offloading > >> it to stunnel. I'm not sure though if it won't raise new problems. > >> > >> > >> On 21/01/2021 10:30, Rainer Gerhards wrote: > >>> you can always rebuild librelp yourself - that's the obvious > >>> solution... > >>> > >>> My 2cts > >>> Rainer > >> _______________________________________________ > >> rsyslog mailing list > >> https://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > >> you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
