Thank you for your replies. The client and server are on the same subnet (neighbors). Unencrypted traffic works fine. I have gone for the most basic approach to try and get tls working.
One question? Does the client need it's own certificate? I have just ensured it has the CA certificate of the server. I would be happy to try Openssl. Can you provide what changes I would need to make to use this. I test connectivity with openssl client connect that appears to work ok. So was thinking it was more rsyslog config specific. ________________________________ From: rsyslog <[email protected]> on behalf of Mariusz Kruk via rsyslog <[email protected]> Sent: Monday, July 17, 2023 7:43:27 pm To: rsyslog-users <[email protected]> Cc: Mariusz Kruk <[email protected]> Subject: Re: [rsyslog] rsyslogd: unexpected gnutls error -110 in nsd_gtls.c:594: True that. Sometimes though you don't have much choice if you're constrained by your distro's packages. And I must say that TLS configuration is (or at least can be) hugely messed up anyway. But -110 typically says that the connection ended before it properly went through all its stages and was properly closed. Usually (but not always) it suggests that the remote end decided it doesn't like something about us (our algorithms suite, our certificate validity or lack thereof, our DN or SAN) and decided to close the connection (possibly forcefully by just sending RST). It might help to look into other end's logs - they might contain the reason for such termination. On 17.07.2023 09:37, Rainer Gerhards wrote: > I suggest to use the openssl driver (ossl, separate package). A prime > reason for implementing openssl was that the gnutls error messages are > usually very unhelpful. this is much better with openssl. > > Rainer > > El lun, 17 jul 2023 a las 8:54, Mariusz Kruk via rsyslog > (<[email protected]>) escribió: >> Yes. People came across this error several times. >> >> -110 GNUTLS_E_PREMATURE_TERMINATION The TLS connection was >> non-properly terminated. >> >> It means something is wrong with either the configuration or your network. >> >> With such skimpy details we can't say much more. >> >> Check your config, check your connection with openssl s_client, do a >> tcpdump if necessary and see what's going on on the wire... >> >> On 17.07.2023 06:29, Andrew Cowan via rsyslog wrote: >>> Has anyone come across this error? >>> >>> This occurs in the logs when I do a logger test from client to server using >>> TLS. Some kind of TLS error. >>> _______________________________________________ >>> rsyslog mailing list >>> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HuJLcCa9zGVWGrFhN7olMSJAKd7haLwjj7eo1G4sTu0%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog> >>> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4Fv8XG7dvYRqFpBhCPfyE%2B8%2Fan%2B18pAP1xnt8A0fSx8%3D&reserved=0<http://www.rsyslog.com/professional-services/> >>> What's up with rsyslog? Followhttps://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HuJLcCa9zGVWGrFhN7olMSJAKd7haLwjj7eo1G4sTu0%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog> >> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4Fv8XG7dvYRqFpBhCPfyE%2B8%2Fan%2B18pAP1xnt8A0fSx8%3D&reserved=0<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow >> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Fu3T%2Fo1R8NXjJ8Lsv64mfGjEzLxJp%2BBAz9przcvREJs%3D&reserved=0<https://twitter.com/rgerhards> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. _______________________________________________ rsyslog mailing list https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HuJLcCa9zGVWGrFhN7olMSJAKd7haLwjj7eo1G4sTu0%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4Fv8XG7dvYRqFpBhCPfyE%2B8%2Fan%2B18pAP1xnt8A0fSx8%3D&reserved=0<http://www.rsyslog.com/professional-services/> What's up with rsyslog? Follow https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Fu3T%2Fo1R8NXjJ8Lsv64mfGjEzLxJp%2BBAz9przcvREJs%3D&reserved=0<https://twitter.com/rgerhards> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
