Thanks for the heads-up. It's probably due some time in the future but it'll require some good testing first. I won't roll-out into production lightly since we're having something like 500GB of logs daily 😃 After some thinking I realized one more thing. I can of course "go upstream" with the CA's and try to authenticate with chained certs and keep only root CA, not the whole trustchain on the receiver but still there'll come a day when rootCA cert expires and I'll have to switch to a new one. So eventually I will have to have a possibility to have at least two different CA's to verify clients' certs with. Is it at all possible?
-----Original Message----- From: David Lang <da...@lang.hm> Sent: Tuesday, December 22, 2020 6:10 PM To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> Cc: Mariusz Kruk <m...@safecomp.com> Subject: Re: [rsyslog] TLS is killing me ;-) just as a FYI, 8.2010 includeed some pretty significant TLS improvements. I don't think they are related to what you are fighting, but I think you will want to upgrade (at least on the receiver) David Lang On Tue, 22 Dec 2020, Mariusz Kruk via rsyslog wrote: > Date: Tue, 22 Dec 2020 12:45:03 +0100 (CET) > From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> > To: rsyslog@lists.adiscon.com > Cc: Mariusz Kruk <m...@safecomp.com> > Subject: [rsyslog] TLS is killing me ;-) > > I'm having a distributed setup using a central "collector" and many > "small" rsyslog instances receiving events on remote locations. > > Those small sites send events "upstream" using TLS-protected RELP with > mutual cert-based authentication. > > Problem is, I used to have trustchain working like that: "CA1 -> CA2 > -> > CA3 -> client cert". And it worked for many clients (around two > dozens, I believe). I had "CA1 -> CA2 -> CA3" provided as trust chain > on both side of the connection (both in imrelp and omrelp > configuration as tls.CACert > parameter) and just gave plain client cert as tls.MyCert. > > Worked great until now because I sudenly created CSR to the CA and got > in response a cert with a different chain - "CA2 -> CA4 -> client cert". > Obviously when I configure my client with this cert, it's not valid > becaues the CA4 cert cannot be authenticated by the other end. > > Do I have any other option than to simply reconfigure all ends to use > CA1 as CACert and append CAs to client certs to make them chained > certs? Of course since I have already many clients deployed I'd really > like to avoid that but if there's no other choice. > > I'm using: > > # rpm -q rsyslog > > rsyslog-8.2001.0-3.el7.x86_64 > > TIA for any words of advice. > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
