‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, March 24, 2021 2:58 PM, Mariusz Kruk via rsyslog <[email protected]> wrote:
> > > > [ --%< snipped %<--- ] > > > > OK. With TLS it all gets tricky. > > Firstly, to get it out of the way, you should not use the legacy config > directives. So instead of $InputTCPServerStreamDriverPermittedPeer you > should use a PermitedPeer option of an input(type="imtcp" [...]) > directive and so on. Yes you are right, I didn't notice that, because I already found the legacy configuration on the central rsyslog machine and and it works.. --> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#permittedpeer But, is there any porting guide from "legacy" to "current" configuration ? So, according to the following guides: * https://www.rsyslog.com/doc/master/tutorials/tls.html#server-setup * https://www.rsyslog.com/doc/master/concepts/ns_ossl.html#supported-authentication-modes all this central legacy configuration: ``` $ModLoad imtcp $DefaultNetstreamDriver gtls $InputTCPServerStreamDriverMode 1 $DefaultNetstreamDriverCAFile /etc/.../ca.pem $DefaultNetstreamDriverCertFile /etc/.../client-cert.pem $DefaultNetstreamDriverKeyFile /etc/.../client-key.pem $InputTCPServerStreamDriverMode 1 $InputTCPServerStreamDriverAuthMode x509/name $InputTCPServerStreamDriverPermittedPeer *.example.domain.com $InputTCPServerRun 6514 ``` can it be replaced with the following configuration: ``` global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem" DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem" DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem" ) # load TCP listener module( load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/name" PermittedPeer=["*.example.domain.com", "*.prod.example.com"] ) # start up listener at port 6514 input( type="imtcp" port="6514" ) ``` ? > Having said that - as I wrote - TLS is a bit tricky because it works a > bit differently depending on the underlying TLS library and its version, > and some parameters can be a bit vague (like said PermittedPeer option > which, quoting from the docs, "<id-string> semantics depend on the > currently selected AuthMode and network stream driver > https://www.rsyslog.com/doc/master/concepts/netstrm_drvr.html. > PermittedPeer may not be set in anonymous modes. PermittedPeer may be > set either to a single peer or an array of peers either of type IP or > name, depending on the tls certificate"). > > Having multiple CAs is not that easy, and doesn't work with openssl > 1.0.x AFAIR. So you might have to do a bit of reading. > > Firstly - https://www.rsyslog.com/doc/master/tutorials/tls.html > > Then - docs for the appropriate input/output modules > > Finally you'd need some testing probably. Thank you very much for this very interesting and important information! Your note about the underlying TLS library and its version its very important to to emphasize. For example, according to you and for my current system - not currently supported: ``` openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 ``` Finally, note that the guide you sent me (which helps a lot) is: "Written by Rainer Gerhards (2008-05-06)" Could we try to renew it together ? ^_^' Thank you very much for your time and help _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
