Try to update yout gnutls package. Also, we had problems with el5 and we had to set StreamDriverAuthMode="anon" instead of StreamDriverAuthMode="x509/name"
On Wed, Oct 8, 2014 at 9:51 AM, nxmehta <[email protected]> wrote: > Hi there, > > I've recently been seeing issues with TLS encrypted remote logging in > rsyslog. This exact setup (same configs and certs) used to work fine in the > 7.x version that I used to use (I don't recall the exact version), but > since I upgraded recently I've been seeing problems. My logs are filled > with the following errors: > > Sep 18 16:49:12 myserver rsyslogd-2089: netstream session 0x7fbe38017380 > will be closed due to error [try http://www.rsyslog.com/e/2089 ] > > The debug logs show that server appears to be reporting GnuTLS error -54, > and the client is reporting error -28. According to > http://gnutls.org/manual/html_node/Error-codes.html the errors mean the > following: > > CODE: SELECT ALL > -28 GNUTLS_E_AGAIN Resource temporarily unavailable, try again. > -54 GNUTLS_E_PULL_ERROR Error in the pull function. > > I'm really not sure what to do with these errors, though. Anyone have any > clues as to what might be wrong? > > I've included the relevant portions of the server/client configs and debug > logs. Please let me know if I can provide any more information to help > debug. Thanks. > > PS - I've posted to the boards if it's more convenient to reply there: > http://kb.monitorware.com/tls-issues-t12433.html > > > Here's the server side configuration: > > ----snip---- > $ModLoad imtcp > $DefaultNetstreamDriver gtls > $DefaultNetstreamDriverCAFile /etc/ssl/certs/ca- > certificates.crt > $DefaultNetstreamDriverCertFile /etc/ssl/certs/mycert.crt > $DefaultNetstreamDriverKeyFile /etc/ssl/private/mycert.key > $InputTCPServerStreamDriverMode 1 > $InputTCPServerStreamDriverAuthMode anon > $InputTCPServerRun 514 > ----snip---- > > > And the client side configuration: > > ----snip---- > $DefaultNetstreamDriver gtls > $DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt > $ActionSendStreamDriverMode 1 > $ActionSendStreamDriverAuthMode anon > *.* @@myserver:514 > ----snip---- > > > Here's the debug log from the server: > > ----snip---- > CODE: SELECT ALL > 6425.814033306:imtcp.c : New connect on NSD 0x22960d0. > 6425.814050711:imtcp.c : dnscache: entry (nil) found > 6425.819281124:imtcp.c : GnuTLS handshake does not complete > immediately - setting to retry (this is OK and normal) > 6425.819336017:imtcp.c : New session created with NSD > 0x7fbe38006060. > 6425.819349710:imtcp.c : hasRcvInBuffer on nsd 0x2274ec0: pszRcvBuf > (nil), lenRcvBuf 0 > 6425.819365513:imtcp.c : hasRcvInBuffer on nsd 0x22961a0: pszRcvBuf > (nil), lenRcvBuf 0 > 6425.819371127:imtcp.c : hasRcvInBuffer on nsd 0x7fbe380027d0: > pszRcvBuf (nil), lenRcvBuf 0 > 6425.819377270:imtcp.c : --------<NSDSEL_PTCP> calling select, > active fds (max 19): 10 11 19 > 6425.869702367:imtcp.c : hasRcvInBuffer on nsd 0x2274ec0: pszRcvBuf > (nil), lenRcvBuf 0 > 6425.869739092:imtcp.c : hasRcvInBuffer on nsd 0x22961a0: pszRcvBuf > (nil), lenRcvBuf 0 > 6425.869745980:imtcp.c : hasRcvInBuffer on nsd 0x7fbe380027d0: > pszRcvBuf (nil), lenRcvBuf 0 > 6425.869751482:imtcp.c : GnuTLS requested retry of 1 operation - > executing > 6425.869771778:imtcp.c : unexpected GnuTLS error -54 in > nsdsel_gtls.c:166: Error in the pull function. > 6425.869778668:imtcp.c : XXXXXX: doRetry: iRet -2078, > pNsd->bAbortConn 1 > 6425.869784278:imtcp.c : tcpsrv: ready to process 1 event entries > 6425.869789568:imtcp.c : tcpsrv: processing item 0, pUsr > 0x7fbe38006060, bAbortConn > 6425.869794885:imtcp.c : netstream 0x7fbe38005f90 with new data > 6425.869800728:imtcp.c : gtlsRcv return. nsd 0x7fbe380027d0, iRet > -2089, lenRcvBuf 0, ptrRcvBuf 0 > 6425.869806958:imtcp.c : Called LogMsg, msg: netstream session > 0x7fbe38005f90 will be closed due to error > ----snip---- > > > And the debug log from the client: > > ----snip---- > CODE: SELECT ALL > 6425.563661890:main Q:Reg/w0 : TCPSendInit CREATE > 6425.563672293:main Q:Reg/w0 : caller requested object 'nsd_gtls', not > found (iRet -3003) > 6425.563680500:main Q:Reg/w0 : Requested to load module 'lmnsd_gtls' > 6425.563688698:main Q:Reg/w0 : loading module > '/usr/lib/rsyslog/lmnsd_gtls.so' > 6425.564301093:imuxsock.c : Message from UNIX socket: #3 > 6425.564345762:imuxsock.c : main Q: qqueueAdd: entry added, size now > log 1, phys 2 entries > 6425.564356808:imuxsock.c : main Q: EnqueueMsg advised worker start > 6425.564364103:imuxsock.c : --------imuxsock calling select, active > file descriptors (max 5): 3 5 > 6425.568209729:main Q:Reg/w0 : source file nsd_gtls.c requested reference > for module 'lmnet', reference count now 5 > 6425.568232497:main Q:Reg/w0 : caller requested object 'nsd_ptcp', not > found (iRet -3003) > 6425.568244289:main Q:Reg/w0 : Requested to load module 'lmnsd_ptcp' > 6425.568255709:main Q:Reg/w0 : loading module > '/usr/lib/rsyslog/lmnsd_ptcp.so' > 6425.568380354:main Q:Reg/w0 : source file nsd_ptcp.c requested reference > for module 'lmnetstrms', reference count now 3 > 6425.568397304:main Q:Reg/w0 : module lmnsd_ptcp of type 2 being loaded > (keepType=0). > 6425.568402146:main Q:Reg/w0 : entry point 'isCompatibleWithFeature' not > present in module > 6425.568406151:main Q:Reg/w0 : entry point 'setModCnf' not present in > module > 6425.568410168:main Q:Reg/w0 : entry point 'getModCnfName' not present in > module > 6425.568414042:main Q:Reg/w0 : entry point 'beginCnfLoad' not present in > module > 6425.568446534:main Q:Reg/w0 : source file nsd_gtls.c requested reference > for module 'lmnsd_ptcp', reference count now 1 > 6425.568464875:main Q:Reg/w0 : GTLS CA file: > '/etc/ssl/certs/ca-certificates.crt' > 6425.585275110:main Q:Reg/w0 : source file nsdsel_gtls.c requested > reference for module 'lmnsd_ptcp', reference count now 2 > 6425.585325229:main Q:Reg/w0 : module lmnsd_gtls of type 2 being loaded > (keepType=1). > 6425.585335401:main Q:Reg/w0 : entry point 'isCompatibleWithFeature' not > present in module > 6425.585343301:main Q:Reg/w0 : entry point 'setModCnf' not present in > module > 6425.585350931:main Q:Reg/w0 : entry point 'getModCnfName' not present in > module > 6425.585358359:main Q:Reg/w0 : entry point 'beginCnfLoad' not present in > module > 6425.585370506:main Q:Reg/w0 : source file netstrms.c requested reference > for module 'lmnsd_gtls', reference count now 1 > 6425.692298351:main Q:Reg/w0 : our certificate is not set, file name > values are cert: '(null)', key: '(null)' > 6425.756724126:main Q:Reg/w0 : unexpected GnuTLS error -28 in > nsd_gtls.c:1651: Resource temporarily unavailable, try again. > 6425.756805221:main Q:Reg/w0 : TCPSendInit FAILED with -2078. > ----snip---- > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
