Hi Brad, I am not sure what protocols rsyslog 8.24 has available (from a brief examination, it appears syslog uses gtls (GnuTLS) [1][2] for the underlying SSL/TLS library). Apache NiFi 1.2.0 and above cannot accept incoming TLS connections (“listen for”) protocols below TLS v1.2. The version of Jetty which hosts the internal web server excludes these previous protocol versions by default, which is why the StandardRestrictedSSLContextService was introduced.
You should do a little more investigation to determine what TLS protocol versions are supported by your combination of rsyslog and GnuTLS. You may need to upgrade the versions in order to be able to communicate with NiFi directly. If you cannot change the rsyslog setup, you may be able to introduce a proxy server between that source and NiFi which performs TLS termination and re-establishes a TLS connection using TLS v1.2. You could also manually override the Jetty configuration using custom cipher suites, but we do not provide instructions on doing that, as it would weaken the security stance of NiFi. Hope this helps. [1] http://www.l3jane.net/doc/rsyslog/tutorials/tls.html <http://www.l3jane.net/doc/rsyslog/tutorials/tls.html> [2] https://www.rsyslog.com/doc/master/tutorials/tls_cert_errmsgs.html <https://www.rsyslog.com/doc/master/tutorials/tls_cert_errmsgs.html> Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jun 26, 2018, at 1:01 PM, bp123 <[email protected]> wrote: > > Sorry for the formatting errors. > > Hello,I am trying to send syslog events from centos 7 running rsyslog 8.24 > to NiFi ListenSyslog processor. I have created the required certs and placed > them in rsyslog and NiFi keystore. My issue is that the TLS connection is > not working. Here is my rsyslog configuration: > > #TLS setup > $DefaultNetstreamDriver gtls # use gtls netstream driver > $DefaultNetstreamDriverCAFile /root/rsyslog/ca.pem > $DefaultNetstreamDriverCertFile > /root/rsyslog/deleteme-rsyslog-client-cert.pem > $DefaultNetstreamDriverKeyFile /root/rsyslog/deleteme-rsyslog-client-key.pem > $ActionSendStreamDriverMode 1 # run driver in TLS-only mode > $ActionSendStreamDriverAuthMode anon # server is NOT authenticated > > $ActionQueueFileName fwdRule1 # unique name prefix for spool files > $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) > $ActionQueueSaveOnShutdown on # save messages to disk on shutdown > $ActionQueueType LinkedList # run asynchronously > $ActionResumeRetryCount -1 # infinite retries if host is down > *.* @@192.168.0.126:6514;RSYSLOG_SyslogProtocol23Format > > I have a JKS with the CA cert and the server public/private keys that is > loaded into NiFi. The error I am seeing on the rsyslog side is: > > Jun 26 13:22:01 fluentd rsyslogd: unexpected GnuTLS error -110 in > nsd_gtls.c:1755: The TLS connection was non-properly terminated. [v8.24.0 > try http://www.rsyslog.com/e/2078 <http://www.rsyslog.com/e/2078> ] > > The error on the NiFi side is: > > 2018-06-26 11:32:47,139 ERROR [pool-46-thread-2] > o.a.n.r.io.socket.ssl.SSLSocketChannel > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel@342539b8 Failed to > connect due to {} > javax.net.ssl.SSLHandshakeException: no cipher suites in common > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) > at > sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) > at > sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:210) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:163) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545) > at > org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) > at > sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1115) > at > sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:807) > at > sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:228) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performTasks(SSLSocketChannel.java:273) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:259) > ... 7 common frames omitted > 2018-06-26 11:32:47,140 ERROR [pool-46-thread-2] > o.a.n.processors.standard.ListenSyslog > ListenSyslog[id=01641000-173f-1aa4-f5da-bff8f278184d] Error reading from > channel due to Inbound closed before receiving peer's close_notify: possible > truncation attack?: javax.net.ssl.SSLException: Inbound closed before > receiving peer's close_notify: possible truncation attack? > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at > sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:177) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545) > at > org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > > I recognize that NiFi is saying that no cipher suites in common, but I have > not found a way to adjust cipher suites in rsyslog. I was able to setup HA > proxy SSL termination with the same certificates and the traffic worked just > fine. I wanted to use the StandardSSLContextService 1.6.0 instead of the > StandardRestrictedSSLContextService 1.6.0 Any thoughts? > > > > > > -- > Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/ > <http://apache-nifi-users-list.2361937.n4.nabble.com/>
signature.asc
Description: Message signed with OpenPGP using GPGMail
