Mailing List Archive

This is fixed in 8.1910. the error message was actually a bug, it should
only apoear if you use an unsupported and uncommon config parameter.

Easier

Sent from phone, thus brief.

David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
2019, 20:58:

> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
> openssl api is too old
>
> what version of openssl is required? can the error message be modified to
> say
> that version rather than just 'too old'? (and can the rpm packaging list
> the
> version as a requirement?)
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

hmm, it seems like a really simple config

streamdriver ossl
mode 1
authmode anon
and certs defined by the obsolete $foo parameters

I tried setting the cipher, but wasn't able to get it working.

is there an example of a working ossl config that someone can post?

David Lang

On Tue, 8 Oct 2019, Rainer Gerhards wrote:

> Date: Tue, 8 Oct 2019 08:09:12 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: David Lang <david@lang.hm>
> Subject: Re: [rsyslog] required version of openssl
>
> This is fixed in 8.1910. the error message was actually a bug, it should
> only apoear if you use an unsupported and uncommon config parameter.
>
> Easier
>
> Sent from phone, thus brief.
>
> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
> 2019, 20:58:
>
>> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
>> openssl api is too old
>>
>> what version of openssl is required? can the error message be modified to
>> say
>> that version rather than just 'too old'? (and can the rpm packaging list
>> the
>> version as a requirement?)
>>
>> David Lang
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Can you show your config line? Maybe what you try to set is actually
what requires the newer openSSL API.

Andre, can you step in here?

Rainer

El mar., 8 oct. 2019 a las 9:51, David Lang (<david@lang.hm>) escribió:
>
> hmm, it seems like a really simple config
>
> streamdriver ossl
> mode 1
> authmode anon
> and certs defined by the obsolete $foo parameters
>
> I tried setting the cipher, but wasn't able to get it working.
>
> is there an example of a working ossl config that someone can post?
>
> David Lang
>
> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
>
> > Date: Tue, 8 Oct 2019 08:09:12 +0200
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: David Lang <david@lang.hm>
> > Subject: Re: [rsyslog] required version of openssl
> >
> > This is fixed in 8.1910. the error message was actually a bug, it should
> > only apoear if you use an unsupported and uncommon config parameter.
> >
> > Easier
> >
> > Sent from phone, thus brief.
> >
> > David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
> > 2019, 20:58:
> >
> >> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
> >> openssl api is too old
> >>
> >> what version of openssl is required? can the error message be modified to
> >> say
> >> that version rather than just 'too old'? (and can the rpm packaging list
> >> the
> >> version as a requirement?)
> >>
> >> David Lang
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

side note: testbench has smaples, e.g.
https://github.com/rsyslog/rsyslog/blob/master/tests/imtcp-tls-ossl-error-cert.sh

If you go to the tests dir, all tests with "ossl" in them use the
openssl TLS driver.

HTH
Rainer

El mar., 8 oct. 2019 a las 9:54, Rainer Gerhards
(<rgerhards@hq.adiscon.com>) escribió:
>
> Can you show your config line? Maybe what you try to set is actually
> what requires the newer openSSL API.
>
> Andre, can you step in here?
>
> Rainer
>
> El mar., 8 oct. 2019 a las 9:51, David Lang (<david@lang.hm>) escribió:
> >
> > hmm, it seems like a really simple config
> >
> > streamdriver ossl
> > mode 1
> > authmode anon
> > and certs defined by the obsolete $foo parameters
> >
> > I tried setting the cipher, but wasn't able to get it working.
> >
> > is there an example of a working ossl config that someone can post?
> >
> > David Lang
> >
> > On Tue, 8 Oct 2019, Rainer Gerhards wrote:
> >
> > > Date: Tue, 8 Oct 2019 08:09:12 +0200
> > > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Cc: David Lang <david@lang.hm>
> > > Subject: Re: [rsyslog] required version of openssl
> > >
> > > This is fixed in 8.1910. the error message was actually a bug, it should
> > > only apoear if you use an unsupported and uncommon config parameter.
> > >
> > > Easier
> > >
> > > Sent from phone, thus brief.
> > >
> > > David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
> > > 2019, 20:58:
> > >
> > >> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
> > >> openssl api is too old
> > >>
> > >> what version of openssl is required? can the error message be modified to
> > >> say
> > >> that version rather than just 'too old'? (and can the rpm packaging list
> > >> the
> > >> version as a requirement?)
> > >>
> > >> David Lang
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > >> DON'T LIKE THAT.
> > >>
> > >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

as I say, a pretty simple config

$DefaultNetstreamDriverCAFile /ews/security/rsyslog/ssl/certs/int2-ca.pem
$DefaultNetstreamDriverCertFile /etc/seceng-syslog-ng/ssl/cert.d/s.int.cer
$DefaultNetstreamDriverKeyFile /etc/seceng-syslog-ng/ssl/key.d/s.int.key


module(load="imtcp"
#StreamDriver.Name="gtls"
StreamDriver.Name="ossl"
StreamDriver.Mode="1"
StreamDriver.AuthMode="anon"
# gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
)
input(type="imtcp"
name="a-rsyslog"
port="6515"
ruleset="a"
)




On Tue, 8 Oct 2019, Rainer Gerhards wrote:

> Date: Tue, 8 Oct 2019 09:54:15 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: David Lang <david@lang.hm>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] required version of openssl
>
> Can you show your config line? Maybe what you try to set is actually
> what requires the newer openSSL API.
>
> Andre, can you step in here?
>
> Rainer
>
> El mar., 8 oct. 2019 a las 9:51, David Lang (<david@lang.hm>) escribió:
>>
>> hmm, it seems like a really simple config
>>
>> streamdriver ossl
>> mode 1
>> authmode anon
>> and certs defined by the obsolete $foo parameters
>>
>> I tried setting the cipher, but wasn't able to get it working.
>>
>> is there an example of a working ossl config that someone can post?
>>
>> David Lang
>>
>> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
>>
>>> Date: Tue, 8 Oct 2019 08:09:12 +0200
>>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>>> Cc: David Lang <david@lang.hm>
>>> Subject: Re: [rsyslog] required version of openssl
>>>
>>> This is fixed in 8.1910. the error message was actually a bug, it should
>>> only apoear if you use an unsupported and uncommon config parameter.
>>>
>>> Easier
>>>
>>> Sent from phone, thus brief.
>>>
>>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
>>> 2019, 20:58:
>>>
>>>> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
>>>> openssl api is too old
>>>>
>>>> what version of openssl is required? can the error message be modified to
>>>> say
>>>> that version rather than just 'too old'? (and can the rpm packaging list
>>>> the
>>>> version as a requirement?)
>>>>
>>>> David Lang
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Had a quick look at code. If you uncomment

gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"

it makes rsyslog require the SSL_CONF_CTX_set_flags() API, which in
the code is guarded by
#if OPENSSL_VERSION_NUMBER >= 0x10020000L
So I guess that's the problem here.

Andre knows the details (he has written it), but he is available only
later today.

Rainer

El mar., 8 oct. 2019 a las 10:26, David Lang (<david@lang.hm>) escribió:
>
> as I say, a pretty simple config
>
> $DefaultNetstreamDriverCAFile /ews/security/rsyslog/ssl/certs/int2-ca.pem
> $DefaultNetstreamDriverCertFile /etc/seceng-syslog-ng/ssl/cert.d/s.int.cer
> $DefaultNetstreamDriverKeyFile /etc/seceng-syslog-ng/ssl/key.d/s.int.key
>
>
> module(load="imtcp"
> #StreamDriver.Name="gtls"
> StreamDriver.Name="ossl"
> StreamDriver.Mode="1"
> StreamDriver.AuthMode="anon"
> # gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
> )
> input(type="imtcp"
> name="a-rsyslog"
> port="6515"
> ruleset="a"
> )
>
>
>
>
> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
>
> > Date: Tue, 8 Oct 2019 09:54:15 +0200
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > To: David Lang <david@lang.hm>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] required version of openssl
> >
> > Can you show your config line? Maybe what you try to set is actually
> > what requires the newer openSSL API.
> >
> > Andre, can you step in here?
> >
> > Rainer
> >
> > El mar., 8 oct. 2019 a las 9:51, David Lang (<david@lang.hm>) escribió:
> >>
> >> hmm, it seems like a really simple config
> >>
> >> streamdriver ossl
> >> mode 1
> >> authmode anon
> >> and certs defined by the obsolete $foo parameters
> >>
> >> I tried setting the cipher, but wasn't able to get it working.
> >>
> >> is there an example of a working ossl config that someone can post?
> >>
> >> David Lang
> >>
> >> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
> >>
> >>> Date: Tue, 8 Oct 2019 08:09:12 +0200
> >>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> >>> To: rsyslog-users <rsyslog@lists.adiscon.com>
> >>> Cc: David Lang <david@lang.hm>
> >>> Subject: Re: [rsyslog] required version of openssl
> >>>
> >>> This is fixed in 8.1910. the error message was actually a bug, it should
> >>> only apoear if you use an unsupported and uncommon config parameter.
> >>>
> >>> Easier
> >>>
> >>> Sent from phone, thus brief.
> >>>
> >>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
> >>> 2019, 20:58:
> >>>
> >>>> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
> >>>> openssl api is too old
> >>>>
> >>>> what version of openssl is required? can the error message be modified to
> >>>> say
> >>>> that version rather than just 'too old'? (and can the rpm packaging list
> >>>> the
> >>>> version as a requirement?)
> >>>>
> >>>> David Lang
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>
> >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

even if I completely remove that line it still errors out, but that indicates
that I would need to go to at least 1.0.2 to be able to use that option.

David Lang

On Tue, 8 Oct 2019, Rainer Gerhards wrote:

> Date: Tue, 8 Oct 2019 10:29:54 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: David Lang <david@lang.hm>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] required version of openssl
>
> Had a quick look at code. If you uncomment
>
> gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
>
> it makes rsyslog require the SSL_CONF_CTX_set_flags() API, which in
> the code is guarded by
> #if OPENSSL_VERSION_NUMBER >= 0x10020000L
> So I guess that's the problem here.
>
> Andre knows the details (he has written it), but he is available only
> later today.
>
> Rainer
>
> El mar., 8 oct. 2019 a las 10:26, David Lang (<david@lang.hm>) escribió:
>>
>> as I say, a pretty simple config
>>
>> $DefaultNetstreamDriverCAFile /ews/security/rsyslog/ssl/certs/int2-ca.pem
>> $DefaultNetstreamDriverCertFile /etc/seceng-syslog-ng/ssl/cert.d/s.int.cer
>> $DefaultNetstreamDriverKeyFile /etc/seceng-syslog-ng/ssl/key.d/s.int.key
>>
>>
>> module(load="imtcp"
>> #StreamDriver.Name="gtls"
>> StreamDriver.Name="ossl"
>> StreamDriver.Mode="1"
>> StreamDriver.AuthMode="anon"
>> # gnutlsPriorityString="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
>> )
>> input(type="imtcp"
>> name="a-rsyslog"
>> port="6515"
>> ruleset="a"
>> )
>>
>>
>>
>>
>> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
>>
>>> Date: Tue, 8 Oct 2019 09:54:15 +0200
>>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>> To: David Lang <david@lang.hm>
>>> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>>> Subject: Re: [rsyslog] required version of openssl
>>>
>>> Can you show your config line? Maybe what you try to set is actually
>>> what requires the newer openSSL API.
>>>
>>> Andre, can you step in here?
>>>
>>> Rainer
>>>
>>> El mar., 8 oct. 2019 a las 9:51, David Lang (<david@lang.hm>) escribió:
>>>>
>>>> hmm, it seems like a really simple config
>>>>
>>>> streamdriver ossl
>>>> mode 1
>>>> authmode anon
>>>> and certs defined by the obsolete $foo parameters
>>>>
>>>> I tried setting the cipher, but wasn't able to get it working.
>>>>
>>>> is there an example of a working ossl config that someone can post?
>>>>
>>>> David Lang
>>>>
>>>> On Tue, 8 Oct 2019, Rainer Gerhards wrote:
>>>>
>>>>> Date: Tue, 8 Oct 2019 08:09:12 +0200
>>>>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>>>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>>>>> Cc: David Lang <david@lang.hm>
>>>>> Subject: Re: [rsyslog] required version of openssl
>>>>>
>>>>> This is fixed in 8.1910. the error message was actually a bug, it should
>>>>> only apoear if you use an unsupported and uncommon config parameter.
>>>>>
>>>>> Easier
>>>>>
>>>>> Sent from phone, thus brief.
>>>>>
>>>>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 7. Okt.
>>>>> 2019, 20:58:
>>>>>
>>>>>> when starting rsyslog 8.1908 on centos 6.10 it generates an error that the
>>>>>> openssl api is too old
>>>>>>
>>>>>> what version of openssl is required? can the error message be modified to
>>>>>> say
>>>>>> that version rather than just 'too old'? (and can the rpm packaging list
>>>>>> the
>>>>>> version as a requirement?)
>>>>>>
>>>>>> David Lang
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>> DON'T LIKE THAT.
>>>>>>
>>>>>
>>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

We need to use SSL_CONF_cmd API to set custom ciphers and other options.
This API was added in OpenSSL 1.0.2, see the API documentation:
https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html

CentOS 6 is probably using old OpenSSL 0.9.8 which does not support that
API.

Our testbench is skipping those tests when such an old OpenSSL Version is
being found.

Best regards,
Andre Lorbach


> -----Original Message-----
> From: rsyslog [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of
> Rainer Gerhards via rsyslog
> Sent: Tuesday, October 8, 2019 10:03 AM
> To: David Lang <david@lang.hm>
> Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>; rsyslog-users
> <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] required version of openssl
>
> side note: testbench has smaples, e.g.
> https://github.com/rsyslog/rsyslog/blob/master/tests/imtcp-tls-ossl-error-
> cert.sh
>
> If you go to the tests dir, all tests with "ossl" in them use the openssl
> TLS
> driver.
>
> HTH
> Rainer
>
> El mar., 8 oct. 2019 a las 9:54, Rainer Gerhards
> (<rgerhards@hq.adiscon.com>) escribió:
> >
> > Can you show your config line? Maybe what you try to set is actually
> > what requires the newer openSSL API.
> >
> > Andre, can you step in here?
> >
> > Rainer
> >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

centos 6 has 1.0.1e (with lots of backports)

if I don't try to configure ciphers, is there a config that will work? or is the
anon auth mode part of what requires this API? (or something like that)

David Lang

On Tue, 8 Oct 2019, Andre Lorbach wrote:

> Date: Tue, 8 Oct 2019 12:53:04 +0200
> From: Andre Lorbach <alorbach@adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
> Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Subject: RE: [rsyslog] required version of openssl
>
> We need to use SSL_CONF_cmd API to set custom ciphers and other options.
> This API was added in OpenSSL 1.0.2, see the API documentation:
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html
>
> CentOS 6 is probably using old OpenSSL 0.9.8 which does not support that
> API.
>
> Our testbench is skipping those tests when such an old OpenSSL Version is
> being found.
>
> Best regards,
> Andre Lorbach
>
>
>> -----Original Message-----
>> From: rsyslog [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of
>> Rainer Gerhards via rsyslog
>> Sent: Tuesday, October 8, 2019 10:03 AM
>> To: David Lang <david@lang.hm>
>> Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>; rsyslog-users
>> <rsyslog@lists.adiscon.com>
>> Subject: Re: [rsyslog] required version of openssl
>>
>> side note: testbench has smaples, e.g.
>> https://github.com/rsyslog/rsyslog/blob/master/tests/imtcp-tls-ossl-error-
>> cert.sh
>>
>> If you go to the tests dir, all tests with "ossl" in them use the openssl
>> TLS
>> driver.
>>
>> HTH
>> Rainer
>>
>> El mar., 8 oct. 2019 a las 9:54, Rainer Gerhards
>> (<rgerhards@hq.adiscon.com>) escribió:
>>>
>>> Can you show your config line? Maybe what you try to set is actually
>>> what requires the newer openSSL API.
>>>
>>> Andre, can you step in here?
>>>
>>> Rainer
>>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

El mar., 8 oct. 2019 a las 13:08, David Lang (<david@lang.hm>) escribió:
>
> centos 6 has 1.0.1e (with lots of backports)
>
> if I don't try to configure ciphers, is there a config that will work? or is the
> anon auth mode part of what requires this API? (or something like that)

David, I guess you missed an important part in my initial response:
8.1908 has a BUG that emits this error message in all cases, even if
the API is not used. This was fixed in 8.1910. As a work-around, the
error message can simply be ignored.

Fix PR: https://github.com/rsyslog/rsyslog/pull/3851

Andre: please correct me if I am wrong in this case.

Rainer
>
> David Lang
>
> On Tue, 8 Oct 2019, Andre Lorbach wrote:
>
> > Date: Tue, 8 Oct 2019 12:53:04 +0200
> > From: Andre Lorbach <alorbach@adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
> > Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Subject: RE: [rsyslog] required version of openssl
> >
> > We need to use SSL_CONF_cmd API to set custom ciphers and other options.
> > This API was added in OpenSSL 1.0.2, see the API documentation:
> > https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html
> >
> > CentOS 6 is probably using old OpenSSL 0.9.8 which does not support that
> > API.
> >
> > Our testbench is skipping those tests when such an old OpenSSL Version is
> > being found.
> >
> > Best regards,
> > Andre Lorbach
> >
> >
> >> -----Original Message-----
> >> From: rsyslog [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of
> >> Rainer Gerhards via rsyslog
> >> Sent: Tuesday, October 8, 2019 10:03 AM
> >> To: David Lang <david@lang.hm>
> >> Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>; rsyslog-users
> >> <rsyslog@lists.adiscon.com>
> >> Subject: Re: [rsyslog] required version of openssl
> >>
> >> side note: testbench has smaples, e.g.
> >> https://github.com/rsyslog/rsyslog/blob/master/tests/imtcp-tls-ossl-error-
> >> cert.sh
> >>
> >> If you go to the tests dir, all tests with "ossl" in them use the openssl
> >> TLS
> >> driver.
> >>
> >> HTH
> >> Rainer
> >>
> >> El mar., 8 oct. 2019 a las 9:54, Rainer Gerhards
> >> (<rgerhards@hq.adiscon.com>) escribió:
> >>>
> >>> Can you show your config line? Maybe what you try to set is actually
> >>> what requires the newer openSSL API.
> >>>
> >>> Andre, can you step in here?
> >>>
> >>> Rainer
> >>>
> >
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Some weak anon ciphers will work on OpenSSL version before 1.0.2, but
support for automatic EC temporary key parameter selection won't work as it
needs SSL_CTX_set_ecdh_auto and SSL_CTX_set_tmp_ecdh API which is also
supported in 1.0.2 and higher only.

This test for example uses anon server and client and will work on CentOS 6:
https://github.com/rsyslog/rsyslog/blob/master/tests/sndrcv_tls_ossl_serveranon_ossl_clientanon.sh

Best regards,
Andre Lorbach

> -----Original Message-----
> From: David Lang [mailto:david@lang.hm]
> Sent: Tuesday, October 8, 2019 1:08 PM
>
> centos 6 has 1.0.1e (with lots of backports)
>
> if I don't try to configure ciphers, is there a config that will work? or
> is the
> anon auth mode part of what requires this API? (or something like that)
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

On Tue, 8 Oct 2019, Rainer Gerhards wrote:

> El mar., 8 oct. 2019 a las 13:08, David Lang (<david@lang.hm>) escribió:
>>
>> centos 6 has 1.0.1e (with lots of backports)
>>
>> if I don't try to configure ciphers, is there a config that will work? or is the
>> anon auth mode part of what requires this API? (or something like that)
>
> David, I guess you missed an important part in my initial response:
> 8.1908 has a BUG that emits this error message in all cases, even if
> the API is not used. This was fixed in 8.1910. As a work-around, the
> error message can simply be ignored.

Thanks, I did misunderstand this.

David Lang

> Fix PR: https://github.com/rsyslog/rsyslog/pull/3851
>
> Andre: please correct me if I am wrong in this case.
>
> Rainer
>>
>> David Lang
>>
>> On Tue, 8 Oct 2019, Andre Lorbach wrote:
>>
>>> Date: Tue, 8 Oct 2019 12:53:04 +0200
>>> From: Andre Lorbach <alorbach@adiscon.com>
>>> To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
>>> Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>> Subject: RE: [rsyslog] required version of openssl
>>>
>>> We need to use SSL_CONF_cmd API to set custom ciphers and other options.
>>> This API was added in OpenSSL 1.0.2, see the API documentation:
>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html
>>>
>>> CentOS 6 is probably using old OpenSSL 0.9.8 which does not support that
>>> API.
>>>
>>> Our testbench is skipping those tests when such an old OpenSSL Version is
>>> being found.
>>>
>>> Best regards,
>>> Andre Lorbach
>>>
>>>
>>>> -----Original Message-----
>>>> From: rsyslog [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of
>>>> Rainer Gerhards via rsyslog
>>>> Sent: Tuesday, October 8, 2019 10:03 AM
>>>> To: David Lang <david@lang.hm>
>>>> Cc: Rainer Gerhards <rgerhards@hq.adiscon.com>; rsyslog-users
>>>> <rsyslog@lists.adiscon.com>
>>>> Subject: Re: [rsyslog] required version of openssl
>>>>
>>>> side note: testbench has smaples, e.g.
>>>> https://github.com/rsyslog/rsyslog/blob/master/tests/imtcp-tls-ossl-error-
>>>> cert.sh
>>>>
>>>> If you go to the tests dir, all tests with "ossl" in them use the openssl
>>>> TLS
>>>> driver.
>>>>
>>>> HTH
>>>> Rainer
>>>>
>>>> El mar., 8 oct. 2019 a las 9:54, Rainer Gerhards
>>>> (<rgerhards@hq.adiscon.com>) escribió:
>>>>>
>>>>> Can you show your config line? Maybe what you try to set is actually
>>>>> what requires the newer openSSL API.
>>>>>
>>>>> Andre, can you step in here?
>>>>>
>>>>> Rainer
>>>>>
>>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.