Had a quick look at code. If you uncomment
gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
it makes rsyslog require the SSL_CONF_CTX_set_flags() API, which in
the code is guarded by
#if OPENSSL_VERSION_NUMBER >= 0x10020000L
So I guess that's the problem here.
Andre knows the details (he has written it), but he is available only
later today.
Rainer
El mar., 8 oct. 2019 a las 10:26, David Lang (<david@lang.hm>) escribió:
>
> as I say, a pretty simple config
>
> $DefaultNetstreamDriverCAFile /ews/security/rsyslog/ssl/certs/int2-ca.pem
> $DefaultNetstreamDriverCertFile /etc/seceng-syslog-ng/ssl/cert.d/s.int.cer
> $DefaultNetstreamDriverKeyFile /etc/seceng-syslog-ng/ssl/key.d/s.int.key
>
>
> module(load="imtcp"
> #StreamDriver.Name="gtls"
> StreamDriver.Name="ossl"
> StreamDriver.Mode="1"
> StreamDriver.AuthMode="anon"
> # gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
> )
> input(type="imtcp"
> name="a-rsyslog"
> port="6515"
> ruleset="a"
> )
>
>
>
>
> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
>
> > Date: Tue, 8 Oct 2019 09:54:15 +0200
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > To: David Lang <david@lang.hm>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] required version of openssl
> >
> > Can you show your config line? Maybe what you try to set is actually
> > what requires the newer openSSL API.
> >
> > Andre, can you step in here?
> >
> > Rainer
> >
> > El mar., 8 oct. 2019 a las 9:51, David Lang (<david@lang.hm>) escribió:
> >>
> >> hmm, it seems like a really simple config
> >>
> >> streamdriver ossl
> >> mode 1
> >> authmode anon
> >> and certs defined by the obsolete $foo parameters
> >>
> >> I tried setting the cipher, but wasn't able to get it working.
> >>
> >> is there an example of a working ossl config that someone can post?
> >>
> >> David Lang
> >>
> >> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
> >>
> >>> Date: Tue, 8 Oct 2019 08:09:12 +0200
> >>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> >>> To: rsyslog-users <rsyslog@lists.adiscon.com>
> >>> Cc: David Lang <david@lang.hm>
> >>> Subject: Re: [rsyslog] required version of openssl
> >>>
> >>> This is fixed in 8.1910. the error message was actually a bug, it should
> >>> only apoear if you use an unsupported and uncommon config parameter.
> >>>
> >>> Easier
> >>>
> >>> Sent from phone, thus brief.
> >>>
> >>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
> >>> 2019, 20:58:
> >>>
> >>>> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
> >>>> openssl api is too old
> >>>>
> >>>> what version of openssl is required? can the error message be modified to
> >>>> say
> >>>> that version rather than just 'too old'? (and can the rpm packaging list
> >>>> the
> >>>> version as a requirement?)
> >>>>
> >>>> David Lang
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>
> >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.