Hi, There has been no change on nsd_ossl.c driver since January 2023, so I believe this is not related to the different rsyslog versions you are running. The warnings tell you, that there is no client certificate configured which can be ok but unusual in this setup. The get rid of them I would recommend configuring a client certificate as well.
Regarding the SSL_ERROR_SYSCALL, it indicates a lower system level error which is 104 in your case. 104 means "Connection Reset by peer", so most likely the server dropped the client during handshake for some reason. To tell more I would have to see debug log from the server. Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: www.adiscon.com - Mail: i...@adiscon.com Informations regarding your data privacy policy can be found here: https://www.adiscon.com/data-privacy-policy/ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. > -----Original Message----- > From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Derek > Atkins > via rsyslog > Sent: Donnerstag, 1. Juni 2023 14:45 > To: rsyslog@lists.adiscon.com > Cc: Derek Atkins <de...@ihtfp.com> > Subject: [rsyslog] Omfwd OpenSSL TLS fails on 2023.04.0 > > Hi, > > I've been using RSyslog to accumulate and aggregate messages in an > intermediary and then send them to another server. This intermediary runs > rsyslog with an Omfwd rule and uses OpenSSL to connect to the main server. > I've been running with this configuration for a while and it's been > working just > fine for a while with the same configuration. > > I've got one intermediary running 8.2302.0 and it works just fine, but > another > one that is running 8.2304.0 is failing with the following repeating logs: > > May 31 16:12:51 DIA-SLHS rsyslogd: Warning: Certificate file is not set > [v8.2304.0 try https://www.rsyslog.com/e/2330 ] May 31 16:12:51 DIA- > SLHS rsyslogd: Warning: Key file is not set [v8.2304.0 try > https://www.rsyslog.com/e/2331 ] May 31 16:12:51 DIA-SLHS rsyslogd: > nsd_ossl: TLS Connection initiated with remote syslog server. [v8.2304.0] > May > 31 16:12:51 DIA-SLHS rsyslogd: SSL_ERROR_SYSCALL Error in > 'osslHandshakeCheck Client': 'error:00000005:lib(0):func(0):DH lib(5)' > with ret=-1, errno=104, sslapi='SSL_do_handshake' [v8.2304.0] > > The rsyslog omfwd rule says: > > action(type="omfwd" > protocol="tcp" > StreamDriver="ossl" > StreamDriverAuthMode="x509/certvalid" > StreamDriverMode="1" > StreamDriver.CAFile="/etc/ssl/certs/rsyslog_ca_cert.pem" > target="<log server>" > port="6514" > gnutlsPriorityString="Protocol=ALL,-SSLv2,-SSLv3,-TLSv1 > MinProtocol=TLSv1.2" > template="<my template>" > ) > > If it matters, I also have an input imtcp rule with openssl turned on, but > that > appears to be working just fine and I'm getting data into the > intermediary. > > Is there some way to better debug why the omfwd is not working? > > Thanks, > > -derek > > -- > Derek Atkins 617-623-3745 > de...@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
