2008/12/2 RB <aoz.syn@gmail.com>:
> On Tue, Dec 2, 2008 at 06:55, Juan Miscaro <jmiscaro@gmail.com> wrote:
>> "neither the client nor the server are authenticated. So while the
>> message transfer is encrypted, you can not be sure which peer you are
>> talking to"
>
> I'm hoping Rainer will jump in and clarify precisely how much
> handshake validation he's implemented. The fact that the client must
> have a copy of the CA's public material seems to indicate he is at
> least verifying that the server's certificate was issued by the CA.
> It's possible to not do so, but the result is rather susceptible to
> MITM.
>
>> Also, how can client encrypt without having any keys specified in its config?
>
> This isn't the forum to discuss the particulars of the SSL handshake,
> but suffice it to say that SSL incorporates a challenge/response
> mechanism (using the server's presented certificate) followed by
> negotiation of an ephemeral session key. See also: public-key
> cryptography.
>
>> $DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
>> $ActionSendStreamDriverAuthMode anon # server is NOT authenticated
>>
>> 2nd question: Why is the server not authenticated?
>
> Without looking at the code, I presume the 'anon' AuthMode is the
> switch used to tell the SSL library whether or not to check the server
> certificate against the CA. If so, it should make specifying the CA
> public key redundant - the client just accepts whatever certificate
> the server (or MITM) presents and starts encrypting to it.
Thank you. I change my config and logging is hapenning on the server
end. However, I get such lines in the logs on the server end when I
restart the client system:
invalid or yet-unknown config file command - have you forgotten to
load a module?
the last error occured in /etc/rsyslog.conf, line 42
invalid or yet-unknown config file command - have you forgotten to
load a module?
the last error occured in /etc/rsyslog.conf, line 45
invalid or yet-unknown config file command - have you forgotten to
load a module?
the last error occured in /etc/rsyslog.conf, line 46
invalid or yet-unknown config file command - have you forgotten to
load a module?
the last error occured in /etc/rsyslog.conf, line 47
invalid or yet-unknown config file command - have you forgotten to
load a module?
the last error occured in /etc/rsyslog.conf, line 49
invalid or yet-unknown config file command - have you forgotten to
load a module?
the last error occured in /etc/rsyslog.conf, line 51
This happens for each TLS line in my client config (comments removed):
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /home/client/Data/tls/ca/ca.pem
$DefaultNetstreamDriverCertFile /home/client/Data/tls/client/client-cert.pem
$DefaultNetstreamDriverKeyFile /home/client/Data/tls/client/client-key.pem
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverMode 1
*.* @@192.168.4.102:10514
/juan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com