Hi Sophie,
To get rid of the cert verification I used the following config parameter
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
So in your case I would think it's the following:
tls.authMode=anon
for anonymous authentication.
This was set on the server site.
My whole config looked like this:
::::::::::::::
/etc/rsyslog.d/tls.conf
::::::::::::::
# syslog via tls configuration
$ModLoad imtcp # TCP listener
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/certs/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/certs/cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/certs/key.pem
#Ruleset
$Ruleset TLS
*.* /apps/log/tls.log
action(
name="rsyslog-debug-local"
template="RSYSLOG_DebugFormat"
type="omfile"
file="/apps/log/rsyslog-debug-tls.log"
)
$Ruleset RSYSLOG_DefaultRuleset
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerBindRuleset TLS
$InputTCPServerRun 6514 # start up listener at port 6514
Regards
carsten
Carsten Lange | Security Specialist | CISSP | E: [email protected]
-----Original Message-----
From: rsyslog [mailto:[email protected]] On Behalf Of
sophie.loewenthal--- via rsyslog
Sent: Dienstag, 13. November 2018 16:27
To: rsyslog-users <[email protected]>
Cc: [email protected]
Subject: Re: [rsyslog] TLS and rsyslog
Hi,
New error message after removing the tls.permittedpeer=["*.local"] and the
tls.authmode I saw this,
2018-11-13T16:19:22.691302+01:00 6 rsyslogd: imrelp[10514]: error 'TLS record
write failed [gnutls error -10: The specified session has been invalidated for
some reason.]', object 'lstn 10514: conn to clt 10.1.1.8/a2.local ' - input
may not work as intended [v8.24.0 try http://www.rsyslog.com/e/2353 ]
> -----Original Message-----
> From: rsyslog [mailto:[email protected]] On Behalf Of
> sophie.loewenthal--- via rsyslog
> Sent: Tuesday, November 13, 2018 4:03 PM
> To: rsyslog-users
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] TLS and rsyslog
>
> Thanks. I configured ca and certs for the clients and servers. I set the
> dnsName
> to a wildcard. e.g *.local. in the certificates.
>
> Both clients and servers started, and the server listens on the ports with
> TLS.
>
> However TLS connections cannot be established. This is something to do
> with a 'peer' which was specified in tls.permittedpeer=
>
> The error on the server is :
> 2018-11-13T15:50:12.783315+01:00 6 rsyslogd: imrelp[10514]:
> authentication error 'no permited name found', peer is '' [v8.24.0 try
> http://www.rsyslog.com/e/2353 ]
>
>
> I used this config:
> Server:
> input(type="imrelp" port="10514" tls="on"
> tls.caCert="/etc/pki/tls/private/ca-cert.pem"
> tls.myCert="/etc/pki/tls/private/collector-cert.pem"
> tls.myPrivKey="/etc/pki/tls/private/collector-key.pem"
> tls.authMode="name"
> tls.permittedpeer=["*.local"]
> )
>
> Client:
> action(type="omrelp" target="5" port="10514" tls="on"
> tls.caCert="/etc/pki/tls/private/ca-cert.pem"
> tls.myCert="/etc/pki/tls/private/sender-cert.pem"
> tls.myPrivKey="/etc/pki/tls/private/sender-key.pem"
> tls.authmode="name"
> tls.permittedpeer=["*.local"]
> )
> action(type="omrelp" target="6" port="10514" tls="on"
> tls.caCert="/etc/pki/tls/private/ca-cert.pem"
> tls.myCert="/etc/pki/tls/private/sender-cert.pem"
> tls.myPrivKey="/etc/pki/tls/private/sender-key.pem"
> tls.authmode="name"
> tls.permittedpeer=["*.local"]
> )
>
> What should I added for the tls.permittedpeer? I don't think this is
> correct. Or my certificates are wrong.
>
> > -----Original Message-----
> > From: rsyslog [mailto:[email protected]] On Behalf
> > Of John Chivian
> > Sent: Tuesday, November 13, 2018 1:56 PM
> > To: sophie.loewenthal--- via rsyslog
> > Subject: Re: [rsyslog] TLS and rsyslog
> >
> > If both client and server are willing to accept and use a valid
> > certificate, and do no other verification checks, then yes you can
> > use the same cert on all client systems.
> >
> > Regards,
> >
> > On 11/13/18 3:22 AM, sophie.loewenthal--- via rsyslog wrote:
> > > Light bulb moment: Can I use the same client cert on all of the clients?
> > >
> > >> -----Original Message-----
> > >> From: rsyslog [mailto:[email protected]] On
> > >> Behalf Of
> > >> sophie.loewenthal--- via rsyslog
> > >> Sent: Tuesday, November 13, 2018 10:06 AM
> > >> To: rsyslog-users
> > >> Cc: LOEWENTHAL Sophie
> > >> Subject: [rsyslog] TLS and rsyslog
> > >>
> > >> Hi,
> > >>
> > >> I've read lots of dox on setting up TLS for sending logs and
> > >> every time I see
> > one
> > >> has to set up a CA and then have a certificate for every client.
> > >> I'd have to
> > create
> > >> 1001 certificates and then a new client cert for every new
> > >> server. This is impractical and the time is not available to
> > >> perform the task. For
> comparison,
> > >> we don't require every user's browser to have a client cert to
> > >> connect with
> a
> > >> webserver, like Paypal, and I use self-signed certs for some
> > >> internal web
> > servers.
> > >>
> > >> In my case the objective to to encrypt the syslog data sent over
> > >> the
> network,
> > but
> > >> not to identify the sending machine.
> > >> Is there a way to have rsyslog use a self-signed certificate and
> > >> trust all the clients that connect over TLS?
> > >>
> > >> Some examples that suggest using a self-signed CA + clients:
> > >> https://access.redhat.com/solutions/519533
> > >> https://waqarafridi.wordpress.com/2015/11/16/configure-ssltls-bet
> > >> ween-
> > two-
> > >> rsyslog-systems/
> > >> And the list goes on.
> > >>
> > >> Best wishes,
> > >> Sophie
> > >>
> > >> Not working on Mondays/ Travailler sauf le lundi Team mailbox :
> > >> [email protected] or direct
> > >> [email protected]
> > >>
> > >>
> > >>
> > >>
> > >> This message and any attachments (the "message") is intended
> > >> solely for the intended addressees and is confidential.
> > >> If you receive this message in error,or are not the intended
> > >> recipient(s), please delete it and any copies from your systems
> > >> and immediately notify the sender. Any unauthorized view, use
> > >> that does not comply with its
> purpose,
> > >> dissemination or disclosure, either whole or partial, is
> > >> prohibited. Since the internet cannot guarantee the integrity of
> > >> this message which may not be reliable,
> > BNP
> > >> PARIBAS
> > >> (and its subsidiaries) shall not be liable for the message if
> > >> modified, changed
> > or
> > >> falsified.
> > >> Do not print this message unless it is necessary, consider the
> > >> environment.
> > >>
> > >> -----------------------------------------------------------------
> > >> ---------------------------
> --
> > ----
> > >> --------------------------------
> > >>
> > >> Ce message et toutes les pieces jointes (ci-apres le "message")
> > >> sont etablis a l'intention exclusive de ses destinataires et sont
> > >> confidentiels.
> > >> Si vous recevez ce message par erreur ou s'il ne vous est pas
> > >> destine, merci de le detruire ainsi que toute copie de votre
> > >> systeme et d'en avertir immediatement l'expediteur. Toute lecture
> > >> non autorisee, toute utilisation
> de
> > >> ce message qui n'est pas conforme a sa destination, toute
> > >> diffusion ou
> toute
> > >> publication, totale ou partielle, est interdite. L'Internet ne
> > >> permettant pas d'assurer l'integrite de ce message electronique
> > >> susceptible d'alteration, BNP Paribas (et ses filiales)
> > >> decline(nt) toute responsabilite au titre de ce message dans
> > >> l'hypothese ou il aurait ete modifie, deforme ou falsifie.
> > >> N'imprimez ce message que si necessaire, pensez a l'environnement.
> > >>
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >> myriad
> of
> > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> > >> you
> > DON'T
> > >> LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > > myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> > LIKE THAT.
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> > you
> DON'T
> > LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
