Re: [rsyslog] Forcing openssl-1.1.1 on Centos7

[Mariusz Kruk via rsyslog]

OK. Just for the record (someone might dig up this thread in the future 
and there's nothing more annoying than finding out that someone had 
similar problem but no resolution).

I rebuilt the 8.2010 packages to use openssl11 (and librelp-1.9.0 as 
well although I'm not sure if it was needed).

And I only used it on the remote hosts! (Unfortunately, on the central 
"gathering" server, my rebuilt package started segfaulting right after 
start and I had no time to debug).

Unfortunately, if I use no CA option on the central host, I cannot 
verify remote hosts' certs properly, so I have to use CA cert 
effectively leading the central server to present only "short" cert on 
RELP port.

But due to using openssl on the remote clients I can present to the 
central host a full chained cert from Inter2 CA while stile verifying 
server's cert with Inter1 CA cert.

Seems to work. At least for now ;-)

Thanks to everybody for valuable insights.

On 25/01/2021 15:37, Mariusz Kruk via rsyslog wrote:

OK. After some testing it seems that it's a bit more complicated than 
this.

In my case I had server configured with a "short" certificate signed 
by a CA (let's call it Inter1) signed by Root CA. (and for now I'd be 
happy not to touch it because it's a production environment and 
reconfiguring central server in such setup can be tricky ;->).

For most of the clients I had short certs issued by the same Inter1 
CA. I managed to reconfigure the clients to use chained certs and at 
the same time I had omrelp on client configured with Inter1 CA as 
TLS.CA. And it worked.

But for some clients I got issued a cert from another CA (let's called 
it Inter2). And here if I try to set omrelp with 
(subject->Inter2->Root CA) cert and (Inter1 -> Root CA) as CA, the 
client sends just the client's cert (not the whole chain).

But I cannot authenticate server because - as I understand - I don't 
have its CA. Can I do anything about it? Bah. I know it'd be best to 
upgrade to 1.1.1 but it ain't that easy here.


On 21/01/2021 16:12, Mariusz Kruk via rsyslog wrote:
I'm not sure I understand it.

I thought that I load chains on client's side in tls.mycert for 
presenting it to the server and tls.cacert is for verifying server's 
certificate.

And from the server's side - the opposite - cacert for verifying 
clients and mycert for showing to them.

Is it not so?

On 21/01/2021 16:06, Andre Lorbach via rsyslog wrote:
Let me jump into the discussion, for OpenSSL 1.1.0 and higher we can 
use
"SSL_use_certificate_chain_file" to set the certificate chain file 
and apply
it to the SSL Context.
For OpenSSL 1.0.2, we only can load the chained certificate if we use
"SSL_CTX_load_verify_locations" which loads the configured 
certificate only
if NO CA certificate is configured.

I am not sure if this has been properly documented yet, if not I 
will have
this done ASAP.

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: i...@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. 
If you
are not the intended recipient or have received this e-mail in error 
please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese 
E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender 
und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
Weitergabe dieser E-Mail sind nicht gestattet.



-----Ursprüngliche Nachricht-----
Von: rsyslog <rsyslog-boun...@lists.adiscon.com> Im Auftrag von 
Mariusz
Kruk via rsyslog
Gesendet: Donnerstag, 21. Januar 2021 15:07
An: rsyslog@lists.adiscon.com
Cc: Mariusz Kruk <m...@safecomp.com>
Betreff: Re: [rsyslog] Forcing openssl-1.1.1 on Centos7

And... ladies and gentlemen... it's getting weirder and weirder.

I got focused on what's not working that missed the fact that on many
other
rsyslog instances the chained certs seem to be working OK.

And here's where it gets confusing.

I have two different sites with a pretty identical config except 
for IPs
and
certs.

One of those sites connects OK to a RELP receiver, another one - 
doesn't.

OK. So I try to do just plain openssl s_client -connect with a 
certificate
that I
have for each machine.

For one machine it works - the client shows full certificate path
(Subject,Intermediate1,Root,Root), for the other one - the client 
shows
only
the subject's certificate (whereas the file contains
Subject,Intermediate2,Root,Root).

But if i try and do openssl verify, each step of the chain does verify
properly.

So it's no wonder that if the remote end shows only its Subject
certificate
without proper chain, the server responds with "go away, I don't 
know your
CA". That's pretty normal.

To make things even more confusing RELP input shows also only Subject
certificate in Server Hello message even though it does have the same
Intermediate1,Root,Root path as the working client.

As you can imagine, I'm going a bit bananas at the moment ;-)

Anyone ever had similar problem?

Mariusz Kruk
Ekspert ds. Bezpieczeństwa IT
COMP S.A.
Pion Cyberbezpieczeństwa i Zarządzania Ryzykiem
e-mail: mariusz.k...@comp.com.pl
e-mail: mariusz.k...@safecomp.com
tel: +48 608 623 299

On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
OK. It turned out I cannot read ;-)

But seriously - the docs state that chained certs should work with
openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
something like that; is there such version at all? :-)) but you only
get one ssl context. OK, that's fine by me. But even though I
configured chained certs, I still get the server helo with only a
single cert. Seems I'll have to dig deeper.

Are there any caveats I should be aware of?

On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
Sure. I can rebuild whole rsyslog package or just the RELP 
components
:-)

I just wanted to avoid custom building altogether because that
introduces another level of support burden on my side :-)

I can't understand one more thing though.

I'm trying to set up two different RELP inputs with two different CA
certificates. In fact, I have at least three RELP inputs but it 
seems
that all are obviously affected.

It seems that, unfortunately, with openssl-1.0.2 the certs, even
though provided on a per-input basis configure main openssl context
and only the "first ones" work. So even though I define different
sets of certs for each input, I get the same certs bound to all
inputs. Is it just a restriction of openssl-1.0.2 and there's no way
around it? Or is it somehow "workaroundable" in 8.2012? (for now I
only upgraded up to 8.2010 because it dind't force me to change my
config).

I would very much like to avoid custom building so I'm starting to
think about leaving rsyslog-based TLS encryption and just offloading
it to stunnel. I'm not sure though if it won't raise new problems.


On 21/01/2021 10:30, Rainer Gerhards wrote:
you can always rebuild librelp yourself - that's the obvious
solution...

My 2cts
Rainer
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE 
WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond
our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.