Re: [rsyslog] RELP and TLS

Tue, 14 Aug 2018 06:33:58 -0700 

Hi Stephan:
  The /peer/ parameter lists permitted certificate fingerprints.  You've listed a hostname. 

  Also, I think you want /authmode/ fingerprint, not /name/.

https://www.rsyslog.com/doc/v8-stable/configuration/modules/omrelp.html

Regards,


On 8/14/18 8:07 AM, Stephan Seitz wrote:

Hi!

Versions:
Rsyslog: 8.36.0-1~bpo9+1 (server) and 8.24.0-1 (client)
RELP: 1.2.14-2~bpo9+1 (server) and 1.2.12-1+deb9u1 (client)
GnuTLS: 3.5.8-5+deb9u3

Server configuration:

input(type="imrelp" port="2515" TLS="on" TLS.MyPrivKey="/path/to/key" 
TLS.MyCert="/path/to/cert" TLS.Compression="on")


Client configuration:
action(type="omrelp"
      target="logserver"
      port="2515"
      TLS="on"
      TLS.Compression="on"
      TLS.authmode="name"
      TLS.caCert="/path/to/CA"
      TLS.permittedpeer=["logserver"]
)


But this doesn't work. The server is requesting a client certificate.  
Okay, the client has one for its web server, but it seems I have to 
configure TLS.permittedpeer for the server as well.


This means:

- Every client needs a certificate which is simply not the case, and 
with  hundreds of VMs no one is going to do this work. And these 
available  certificates are only permitted for server uses, not for 
client  authentication.
- Every client has to be part of TLS.permittedpeer (okay, maybe I can 
use  *.domain here).



In the end I want to have a client server configuration like you have 
for a web server. The client checks the server certificate, but no 
client certificate is needed. Is this possible?


Shade and sweet water!

    Stephan



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to