Package: rsyslog-gnutls Version: 8.24.0-1 Severity: normal The setup consists of a TLS-enabled rsyslog server and TLS-enbled rsyslog clients without using client certificate authentication.
When DefaultNetstreamDriverCertFile on the server specifies a file with a single cert (which is signed by a top level cert available to the clients), clients can connect. When DefaultNetstreamDriverCertFile on the server specifies a file with a cert followed by an intermediate cert (which is signed by a top level cert available to the clients), clients fail to connect. Using "openssl s_client" reveals that only the server cert is sent, not the intermediate cert, and thus clients will fail server cert verification since the intermediate certificate is not available. The relevant code is in runtime/nsd_gtls.c. Interestingly enough there are two separate functions that read the certificate: gtlsAddOurCert() uses gnutls_certificate_set_x509_key_file(), which will handle intermediate certs correctly. gtlsLoadOurCertKey() uses gnutls_x509_crt_import() on the file data, and this function only handles one cert. The later function seems meant to be used in clients to read the client certificate when using client authentication, but is also called in gtlsInitSession(). If one changes gtlsInitSession() to read #if HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION && 0 thus disabling the call to gtlsLoadOurCertKey(), the server will present the intermediate cert and clients will be able to connect. Arne -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE=sv_SE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages rsyslog-gnutls depends on: ii libc6 2.24-11+deb9u1 ii libgnutls30 3.5.8-5+deb9u3 ii rsyslog 8.24.0-1 rsyslog-gnutls recommends no packages. Versions of packages rsyslog-gnutls suggests: ii gnutls-bin 3.5.8-5+deb9u3 -- no debconf information
