Mailing List Archive

Hello!

LD_PRELOAD can help you I guess.. though it'll be rsyslog-wide (not just
omrelp). As long as ABI & API are the same it might work for you.

Though I'd recommend to spin newer rsyslog with proper openssl lib in a
container (docker/podman/systemd-nspawn). Then you may use your
distro-bundled rsyslog just to forward messages required into your
containerized rsyslog which will do complex things instead.


On Wed, 20 Jan 2021 at 23:50, Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> While fighting with mutual authentication and certificate problems I
> found that chained certificates are supported from a certain rsyslog
> release but unfortunately only after upgrading past that release (to
> 8.2010 at this moment to be precise) I also found that support for
> chained certs needs decently recent openssl version.
>
> And that's where it's getting tricky. My setup runs on CentOS7. And
> CentOS ships with openssl-1.0.2 by default. I did install openssl11
> package from EPEL repository but it installs another version side-by-side.
>
> So when I run rsyslogd, it loads the default openssl 1.0.2 library.
>
> Is there any reasonable way to force rsyslogd to load a particular
> version of the openssl library and use it for the omrelp module?
> tls.tlslib parameter doesn't give me a possibility to choose a
> particular version. It just wants "openssl".
>
> Are there any other methods?
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

On 21/01/2021 06:54, Yuri Bushmelev wrote:
> Hello!
>
> LD_PRELOAD can help you I guess.. though it'll be rsyslog-wide (not
> just omrelp). As long as ABI & API are the same it might work for you.
>
> Though I'd recommend to spin newer rsyslog with proper openssl lib in
> a container (docker/podman/systemd-nspawn). Then you may use your
> distro-bundled rsyslog just to forward messages required into your
> containerized rsyslog which will do complex things instead.

Bah. I didn't notice it yesterday but it seems that relp modules are
linked to 1.0 versions of openssl libraries in Centos7 so LD_PRELOAD
won't work since the libs are different versions I suppose (and as far
as I know, they do have incompatible API/ABI. It's just that I thought
the TLS lib is explicitly dlopened somwehere later within rslyslogd but
it seems that it's just linked against one ssl version at build time.

I'm not a big fan of the idea containerizing the rsyslog since it forces
me to rebuild it anyway so I might just build my own rpms with openssl11
as well. But I still wanted to avoid that.

Ehhhh. CentOS7.

It seems I'll have to do some workaround to the chained certs problem
(like redirecting inputs to two different CAs based on source IP using
iptables - ugly as hell). Will have to do for now.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

you can always rebuild librelp yourself - that's the obvious solution...

My 2cts
Rainer

El jue, 21 ene 2021 a las 9:07, Mariusz Kruk via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
>
> On 21/01/2021 06:54, Yuri Bushmelev wrote:
> > Hello!
> >
> > LD_PRELOAD can help you I guess.. though it'll be rsyslog-wide (not
> > just omrelp). As long as ABI & API are the same it might work for you.
> >
> > Though I'd recommend to spin newer rsyslog with proper openssl lib in
> > a container (docker/podman/systemd-nspawn). Then you may use your
> > distro-bundled rsyslog just to forward messages required into your
> > containerized rsyslog which will do complex things instead.
>
> Bah. I didn't notice it yesterday but it seems that relp modules are
> linked to 1.0 versions of openssl libraries in Centos7 so LD_PRELOAD
> won't work since the libs are different versions I suppose (and as far
> as I know, they do have incompatible API/ABI. It's just that I thought
> the TLS lib is explicitly dlopened somwehere later within rslyslogd but
> it seems that it's just linked against one ssl version at build time.
>
> I'm not a big fan of the idea containerizing the rsyslog since it forces
> me to rebuild it anyway so I might just build my own rpms with openssl11
> as well. But I still wanted to avoid that.
>
> Ehhhh. CentOS7.
>
> It seems I'll have to do some workaround to the chained certs problem
> (like redirecting inputs to two different CAs based on source IP using
> iptables - ugly as hell). Will have to do for now.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Sure. I can rebuild whole rsyslog package or just the RELP components :-)

I just wanted to avoid custom building altogether because that
introduces another level of support burden on my side :-)

I can't understand one more thing though.

I'm trying to set up two different RELP inputs with two different CA
certificates. In fact, I have at least three RELP inputs but it seems
that all are obviously affected.

It seems that, unfortunately, with openssl-1.0.2 the certs, even though
provided on a per-input basis configure main openssl context and only
the "first ones" work. So even though I define different sets of certs
for each input, I get the same certs bound to all inputs. Is it just a
restriction of openssl-1.0.2 and there's no way around it? Or is it
somehow "workaroundable" in 8.2012? (for now I only upgraded up to
8.2010 because it dind't force me to change my config).

I would very much like to avoid custom building so I'm starting to think
about leaving rsyslog-based TLS encryption and just offloading it to
stunnel. I'm not sure though if it won't raise new problems.


On 21/01/2021 10:30, Rainer Gerhards wrote:
> you can always rebuild librelp yourself - that's the obvious solution...
>
> My 2cts
> Rainer
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

OK. It turned out I cannot read ;-)

But seriously - the docs state that chained certs should work with
openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
something like that; is there such version at all? :-)) but you only get
one ssl context. OK, that's fine by me. But even though I configured
chained certs, I still get the server helo with only a single cert.
Seems I'll have to dig deeper.

Are there any caveats I should be aware of?

On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
> Sure. I can rebuild whole rsyslog package or just the RELP components :-)
>
> I just wanted to avoid custom building altogether because that
> introduces another level of support burden on my side :-)
>
> I can't understand one more thing though.
>
> I'm trying to set up two different RELP inputs with two different CA
> certificates. In fact, I have at least three RELP inputs but it seems
> that all are obviously affected.
>
> It seems that, unfortunately, with openssl-1.0.2 the certs, even
> though provided on a per-input basis configure main openssl context
> and only the "first ones" work. So even though I define different sets
> of certs for each input, I get the same certs bound to all inputs. Is
> it just a restriction of openssl-1.0.2 and there's no way around it?
> Or is it somehow "workaroundable" in 8.2012? (for now I only upgraded
> up to 8.2010 because it dind't force me to change my config).
>
> I would very much like to avoid custom building so I'm starting to
> think about leaving rsyslog-based TLS encryption and just offloading
> it to stunnel. I'm not sure though if it won't raise new problems.
>
>
> On 21/01/2021 10:30, Rainer Gerhards wrote:
>> you can always rebuild librelp yourself - that's the obvious solution...
>>
>> My 2cts
>> Rainer
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

And... ladies and gentlemen... it's getting weirder and weirder.

I got focused on what's not working that missed the fact that on many
other rsyslog instances the chained certs seem to be working OK.

And here's where it gets confusing.

I have two different sites with a pretty identical config except for IPs
and certs.

One of those sites connects OK to a RELP receiver, another one - doesn't.

OK. So I try to do just plain openssl s_client -connect with a
certificate that I have for each machine.

For one machine it works - the client shows full certificate path
(Subject,Intermediate1,Root,Root), for the other one - the client shows
only the subject's certificate (whereas the file contains
Subject,Intermediate2,Root,Root).

But if i try and do openssl verify, each step of the chain does verify
properly.

So it's no wonder that if the remote end shows only its Subject
certificate without proper chain, the server responds with "go away, I
don't know your CA". That's pretty normal.

To make things even more confusing RELP input shows also only Subject
certificate in Server Hello message even though it does have the same
Intermediate1,Root,Root path as the working client.

As you can imagine, I'm going a bit bananas at the moment ;-)

Anyone ever had similar problem?

Mariusz Kruk
Ekspert ds. Bezpiecze?stwa IT
COMP S.A.
Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
e-mail: mariusz.kruk@comp.com.pl
e-mail: mariusz.kruk@safecomp.com
tel: +48 608 623 299

On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
> OK. It turned out I cannot read ;-)
>
> But seriously - the docs state that chained certs should work with
> openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
> something like that; is there such version at all? :-)) but you only
> get one ssl context. OK, that's fine by me. But even though I
> configured chained certs, I still get the server helo with only a
> single cert. Seems I'll have to dig deeper.
>
> Are there any caveats I should be aware of?
>
> On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
>> Sure. I can rebuild whole rsyslog package or just the RELP components
>> :-)
>>
>> I just wanted to avoid custom building altogether because that
>> introduces another level of support burden on my side :-)
>>
>> I can't understand one more thing though.
>>
>> I'm trying to set up two different RELP inputs with two different CA
>> certificates. In fact, I have at least three RELP inputs but it seems
>> that all are obviously affected.
>>
>> It seems that, unfortunately, with openssl-1.0.2 the certs, even
>> though provided on a per-input basis configure main openssl context
>> and only the "first ones" work. So even though I define different
>> sets of certs for each input, I get the same certs bound to all
>> inputs. Is it just a restriction of openssl-1.0.2 and there's no way
>> around it? Or is it somehow "workaroundable" in 8.2012? (for now I
>> only upgraded up to 8.2010 because it dind't force me to change my
>> config).
>>
>> I would very much like to avoid custom building so I'm starting to
>> think about leaving rsyslog-based TLS encryption and just offloading
>> it to stunnel. I'm not sure though if it won't raise new problems.
>>
>>
>> On 21/01/2021 10:30, Rainer Gerhards wrote:
>>> you can always rebuild librelp yourself - that's the obvious
>>> solution...
>>>
>>> My 2cts
>>> Rainer
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Let me jump into the discussion, for OpenSSL 1.1.0 and higher we can use
"SSL_use_certificate_chain_file" to set the certificate chain file and apply
it to the SSL Context.
For OpenSSL 1.0.2, we only can load the chained certificate if we use
"SSL_CTX_load_verify_locations" which loads the configured certificate only
if NO CA certificate is configured.

I am not sure if this has been properly documented yet, if not I will have
this done ASAP.

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: info@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
Weitergabe dieser E-Mail sind nicht gestattet.



> -----Ursprüngliche Nachricht-----
> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Mariusz
> Kruk via rsyslog
> Gesendet: Donnerstag, 21. Januar 2021 15:07
> An: rsyslog@lists.adiscon.com
> Cc: Mariusz Kruk <mkr@safecomp.com>
> Betreff: Re: [rsyslog] Forcing openssl-1.1.1 on Centos7
>
> And... ladies and gentlemen... it's getting weirder and weirder.
>
> I got focused on what's not working that missed the fact that on many
> other
> rsyslog instances the chained certs seem to be working OK.
>
> And here's where it gets confusing.
>
> I have two different sites with a pretty identical config except for IPs
> and
> certs.
>
> One of those sites connects OK to a RELP receiver, another one - doesn't.
>
> OK. So I try to do just plain openssl s_client -connect with a certificate
> that I
> have for each machine.
>
> For one machine it works - the client shows full certificate path
> (Subject,Intermediate1,Root,Root), for the other one - the client shows
> only
> the subject's certificate (whereas the file contains
> Subject,Intermediate2,Root,Root).
>
> But if i try and do openssl verify, each step of the chain does verify
> properly.
>
> So it's no wonder that if the remote end shows only its Subject
> certificate
> without proper chain, the server responds with "go away, I don't know your
> CA". That's pretty normal.
>
> To make things even more confusing RELP input shows also only Subject
> certificate in Server Hello message even though it does have the same
> Intermediate1,Root,Root path as the working client.
>
> As you can imagine, I'm going a bit bananas at the moment ;-)
>
> Anyone ever had similar problem?
>
> Mariusz Kruk
> Ekspert ds. Bezpiecze?stwa IT
> COMP S.A.
> Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
> e-mail: mariusz.kruk@comp.com.pl
> e-mail: mariusz.kruk@safecomp.com
> tel: +48 608 623 299
>
> On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
> > OK. It turned out I cannot read ;-)
> >
> > But seriously - the docs state that chained certs should work with
> > openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
> > something like that; is there such version at all? :-)) but you only
> > get one ssl context. OK, that's fine by me. But even though I
> > configured chained certs, I still get the server helo with only a
> > single cert. Seems I'll have to dig deeper.
> >
> > Are there any caveats I should be aware of?
> >
> > On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
> >> Sure. I can rebuild whole rsyslog package or just the RELP components
> >> :-)
> >>
> >> I just wanted to avoid custom building altogether because that
> >> introduces another level of support burden on my side :-)
> >>
> >> I can't understand one more thing though.
> >>
> >> I'm trying to set up two different RELP inputs with two different CA
> >> certificates. In fact, I have at least three RELP inputs but it seems
> >> that all are obviously affected.
> >>
> >> It seems that, unfortunately, with openssl-1.0.2 the certs, even
> >> though provided on a per-input basis configure main openssl context
> >> and only the "first ones" work. So even though I define different
> >> sets of certs for each input, I get the same certs bound to all
> >> inputs. Is it just a restriction of openssl-1.0.2 and there's no way
> >> around it? Or is it somehow "workaroundable" in 8.2012? (for now I
> >> only upgraded up to 8.2010 because it dind't force me to change my
> >> config).
> >>
> >> I would very much like to avoid custom building so I'm starting to
> >> think about leaving rsyslog-based TLS encryption and just offloading
> >> it to stunnel. I'm not sure though if it won't raise new problems.
> >>
> >>
> >> On 21/01/2021 10:30, Rainer Gerhards wrote:
> >>> you can always rebuild librelp yourself - that's the obvious
> >>> solution...
> >>>
> >>> My 2cts
> >>> Rainer
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >> you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I'm not sure I understand it.

I thought that I load chains on client's side in tls.mycert for
presenting it to the server and tls.cacert is for verifying server's
certificate.

And from the server's side - the opposite - cacert for verifying clients
and mycert for showing to them.

Is it not so?

On 21/01/2021 16:06, Andre Lorbach via rsyslog wrote:
> Let me jump into the discussion, for OpenSSL 1.1.0 and higher we can use
> "SSL_use_certificate_chain_file" to set the certificate chain file and apply
> it to the SSL Context.
> For OpenSSL 1.0.2, we only can load the chained certificate if we use
> "SSL_CTX_load_verify_locations" which loads the configured certificate only
> if NO CA certificate is configured.
>
> I am not sure if this has been properly documented yet, if not I will have
> this done ASAP.
>
> Best regards,
> Andre Lorbach
> --
> Adiscon GmbH
> Mozartstr. 21
> 97950 Großrinderfeld, Germany
> Ph. +49-9349-9298530
> Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
> 560610
> Ust.-IDNr.: DE 81 22 04 622
> Web: www.adiscon.com - Mail: info@adiscon.com
>
> Informations regarding your data privacy policy can be found here:
> https://www.adiscon.com/data-privacy-policy/
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient or have received this e-mail in error please
> notify the sender immediately and delete this e-mail. Any unauthorized
> copying, disclosure or distribution of the material in this e-mail is
> strictly forbidden.
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
> Weitergabe dieser E-Mail sind nicht gestattet.
>
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Mariusz
>> Kruk via rsyslog
>> Gesendet: Donnerstag, 21. Januar 2021 15:07
>> An: rsyslog@lists.adiscon.com
>> Cc: Mariusz Kruk <mkr@safecomp.com>
>> Betreff: Re: [rsyslog] Forcing openssl-1.1.1 on Centos7
>>
>> And... ladies and gentlemen... it's getting weirder and weirder.
>>
>> I got focused on what's not working that missed the fact that on many
>> other
>> rsyslog instances the chained certs seem to be working OK.
>>
>> And here's where it gets confusing.
>>
>> I have two different sites with a pretty identical config except for IPs
>> and
>> certs.
>>
>> One of those sites connects OK to a RELP receiver, another one - doesn't.
>>
>> OK. So I try to do just plain openssl s_client -connect with a certificate
>> that I
>> have for each machine.
>>
>> For one machine it works - the client shows full certificate path
>> (Subject,Intermediate1,Root,Root), for the other one - the client shows
>> only
>> the subject's certificate (whereas the file contains
>> Subject,Intermediate2,Root,Root).
>>
>> But if i try and do openssl verify, each step of the chain does verify
>> properly.
>>
>> So it's no wonder that if the remote end shows only its Subject
>> certificate
>> without proper chain, the server responds with "go away, I don't know your
>> CA". That's pretty normal.
>>
>> To make things even more confusing RELP input shows also only Subject
>> certificate in Server Hello message even though it does have the same
>> Intermediate1,Root,Root path as the working client.
>>
>> As you can imagine, I'm going a bit bananas at the moment ;-)
>>
>> Anyone ever had similar problem?
>>
>> Mariusz Kruk
>> Ekspert ds. Bezpiecze?stwa IT
>> COMP S.A.
>> Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
>> e-mail: mariusz.kruk@comp.com.pl
>> e-mail: mariusz.kruk@safecomp.com
>> tel: +48 608 623 299
>>
>> On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
>>> OK. It turned out I cannot read ;-)
>>>
>>> But seriously - the docs state that chained certs should work with
>>> openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
>>> something like that; is there such version at all? :-)) but you only
>>> get one ssl context. OK, that's fine by me. But even though I
>>> configured chained certs, I still get the server helo with only a
>>> single cert. Seems I'll have to dig deeper.
>>>
>>> Are there any caveats I should be aware of?
>>>
>>> On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
>>>> Sure. I can rebuild whole rsyslog package or just the RELP components
>>>> :-)
>>>>
>>>> I just wanted to avoid custom building altogether because that
>>>> introduces another level of support burden on my side :-)
>>>>
>>>> I can't understand one more thing though.
>>>>
>>>> I'm trying to set up two different RELP inputs with two different CA
>>>> certificates. In fact, I have at least three RELP inputs but it seems
>>>> that all are obviously affected.
>>>>
>>>> It seems that, unfortunately, with openssl-1.0.2 the certs, even
>>>> though provided on a per-input basis configure main openssl context
>>>> and only the "first ones" work. So even though I define different
>>>> sets of certs for each input, I get the same certs bound to all
>>>> inputs. Is it just a restriction of openssl-1.0.2 and there's no way
>>>> around it? Or is it somehow "workaroundable" in 8.2012? (for now I
>>>> only upgraded up to 8.2010 because it dind't force me to change my
>>>> config).
>>>>
>>>> I would very much like to avoid custom building so I'm starting to
>>>> think about leaving rsyslog-based TLS encryption and just offloading
>>>> it to stunnel. I'm not sure though if it won't raise new problems.
>>>>
>>>>
>>>> On 21/01/2021 10:30, Rainer Gerhards wrote:
>>>>> you can always rebuild librelp yourself - that's the obvious
>>>>> solution...
>>>>>
>>>>> My 2cts
>>>>> Rainer
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>> you DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>> beyond
>> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

OK. After some testing it seems that it's a bit more complicated than this.

In my case I had server configured with a "short" certificate signed by
a CA (let's call it Inter1) signed by Root CA. (and for now I'd be happy
not to touch it because it's a production environment and reconfiguring
central server in such setup can be tricky ;->).

For most of the clients I had short certs issued by the same Inter1 CA.
I managed to reconfigure the clients to use chained certs and at the
same time I had omrelp on client configured with Inter1 CA as TLS.CA.
And it worked.

But for some clients I got issued a cert from another CA (let's called
it Inter2). And here if I try to set omrelp with (subject->Inter2->Root
CA) cert and (Inter1 -> Root CA) as CA, the client sends just the
client's cert (not the whole chain).

But I cannot authenticate server because - as I understand - I don't
have its CA. Can I do anything about it? Bah. I know it'd be best to
upgrade to 1.1.1 but it ain't that easy here.


On 21/01/2021 16:12, Mariusz Kruk via rsyslog wrote:
> I'm not sure I understand it.
>
> I thought that I load chains on client's side in tls.mycert for
> presenting it to the server and tls.cacert is for verifying server's
> certificate.
>
> And from the server's side - the opposite - cacert for verifying
> clients and mycert for showing to them.
>
> Is it not so?
>
> On 21/01/2021 16:06, Andre Lorbach via rsyslog wrote:
>> Let me jump into the discussion, for OpenSSL 1.1.0 and higher we can use
>> "SSL_use_certificate_chain_file" to set the certificate chain file
>> and apply
>> it to the SSL Context.
>> For OpenSSL 1.0.2, we only can load the chained certificate if we use
>> "SSL_CTX_load_verify_locations" which loads the configured
>> certificate only
>> if NO CA certificate is configured.
>>
>> I am not sure if this has been properly documented yet, if not I will
>> have
>> this done ASAP.
>>
>> Best regards,
>> Andre Lorbach
>> --
>> Adiscon GmbH
>> Mozartstr. 21
>> 97950 Großrinderfeld, Germany
>> Ph. +49-9349-9298530
>> Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
>> 560610
>> Ust.-IDNr.: DE 81 22 04 622
>> Web: www.adiscon.com - Mail: info@adiscon.com
>>
>> Informations regarding your data privacy policy can be found here:
>> https://www.adiscon.com/data-privacy-policy/
>>
>> This e-mail may contain confidential and/or privileged information.
>> If you
>> are not the intended recipient or have received this e-mail in error
>> please
>> notify the sender immediately and delete this e-mail. Any unauthorized
>> copying, disclosure or distribution of the material in this e-mail is
>> strictly forbidden.
>>
>> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
>> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
>> E-Mail
>> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>> vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
>> Weitergabe dieser E-Mail sind nicht gestattet.
>>
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Mariusz
>>> Kruk via rsyslog
>>> Gesendet: Donnerstag, 21. Januar 2021 15:07
>>> An: rsyslog@lists.adiscon.com
>>> Cc: Mariusz Kruk <mkr@safecomp.com>
>>> Betreff: Re: [rsyslog] Forcing openssl-1.1.1 on Centos7
>>>
>>> And... ladies and gentlemen... it's getting weirder and weirder.
>>>
>>> I got focused on what's not working that missed the fact that on many
>>> other
>>> rsyslog instances the chained certs seem to be working OK.
>>>
>>> And here's where it gets confusing.
>>>
>>> I have two different sites with a pretty identical config except for
>>> IPs
>>> and
>>> certs.
>>>
>>> One of those sites connects OK to a RELP receiver, another one -
>>> doesn't.
>>>
>>> OK. So I try to do just plain openssl s_client -connect with a
>>> certificate
>>> that I
>>> have for each machine.
>>>
>>> For one machine it works - the client shows full certificate path
>>> (Subject,Intermediate1,Root,Root), for the other one - the client shows
>>> only
>>> the subject's certificate (whereas the file contains
>>> Subject,Intermediate2,Root,Root).
>>>
>>> But if i try and do openssl verify, each step of the chain does verify
>>> properly.
>>>
>>> So it's no wonder that if the remote end shows only its Subject
>>> certificate
>>> without proper chain, the server responds with "go away, I don't
>>> know your
>>> CA". That's pretty normal.
>>>
>>> To make things even more confusing RELP input shows also only Subject
>>> certificate in Server Hello message even though it does have the same
>>> Intermediate1,Root,Root path as the working client.
>>>
>>> As you can imagine, I'm going a bit bananas at the moment ;-)
>>>
>>> Anyone ever had similar problem?
>>>
>>> Mariusz Kruk
>>> Ekspert ds. Bezpiecze?stwa IT
>>> COMP S.A.
>>> Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
>>> e-mail: mariusz.kruk@comp.com.pl
>>> e-mail: mariusz.kruk@safecomp.com
>>> tel: +48 608 623 299
>>>
>>> On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
>>>> OK. It turned out I cannot read ;-)
>>>>
>>>> But seriously - the docs state that chained certs should work with
>>>> openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
>>>> something like that; is there such version at all? :-)) but you only
>>>> get one ssl context. OK, that's fine by me. But even though I
>>>> configured chained certs, I still get the server helo with only a
>>>> single cert. Seems I'll have to dig deeper.
>>>>
>>>> Are there any caveats I should be aware of?
>>>>
>>>> On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
>>>>> Sure. I can rebuild whole rsyslog package or just the RELP components
>>>>> :-)
>>>>>
>>>>> I just wanted to avoid custom building altogether because that
>>>>> introduces another level of support burden on my side :-)
>>>>>
>>>>> I can't understand one more thing though.
>>>>>
>>>>> I'm trying to set up two different RELP inputs with two different CA
>>>>> certificates. In fact, I have at least three RELP inputs but it seems
>>>>> that all are obviously affected.
>>>>>
>>>>> It seems that, unfortunately, with openssl-1.0.2 the certs, even
>>>>> though provided on a per-input basis configure main openssl context
>>>>> and only the "first ones" work. So even though I define different
>>>>> sets of certs for each input, I get the same certs bound to all
>>>>> inputs. Is it just a restriction of openssl-1.0.2 and there's no way
>>>>> around it? Or is it somehow "workaroundable" in 8.2012? (for now I
>>>>> only upgraded up to 8.2010 because it dind't force me to change my
>>>>> config).
>>>>>
>>>>> I would very much like to avoid custom building so I'm starting to
>>>>> think about leaving rsyslog-based TLS encryption and just offloading
>>>>> it to stunnel. I'm not sure though if it won't raise new problems.
>>>>>
>>>>>
>>>>> On 21/01/2021 10:30, Rainer Gerhards wrote:
>>>>>> you can always rebuild librelp yourself - that's the obvious
>>>>>> solution...
>>>>>>
>>>>>> My 2cts
>>>>>> Rainer
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>> you DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>>> beyond
>>> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

OK. Just for the record (someone might dig up this thread in the future
and there's nothing more annoying than finding out that someone had
similar problem but no resolution).

I rebuilt the 8.2010 packages to use openssl11 (and librelp-1.9.0 as
well although I'm not sure if it was needed).

And I only used it on the remote hosts! (Unfortunately, on the central
"gathering" server, my rebuilt package started segfaulting right after
start and I had no time to debug).

Unfortunately, if I use no CA option on the central host, I cannot
verify remote hosts' certs properly, so I have to use CA cert
effectively leading the central server to present only "short" cert on
RELP port.

But due to using openssl on the remote clients I can present to the
central host a full chained cert from Inter2 CA while stile verifying
server's cert with Inter1 CA cert.

Seems to work. At least for now ;-)

Thanks to everybody for valuable insights.

On 25/01/2021 15:37, Mariusz Kruk via rsyslog wrote:

> OK. After some testing it seems that it's a bit more complicated than
> this.
>
> In my case I had server configured with a "short" certificate signed
> by a CA (let's call it Inter1) signed by Root CA. (and for now I'd be
> happy not to touch it because it's a production environment and
> reconfiguring central server in such setup can be tricky ;->).
>
> For most of the clients I had short certs issued by the same Inter1
> CA. I managed to reconfigure the clients to use chained certs and at
> the same time I had omrelp on client configured with Inter1 CA as
> TLS.CA. And it worked.
>
> But for some clients I got issued a cert from another CA (let's called
> it Inter2). And here if I try to set omrelp with
> (subject->Inter2->Root CA) cert and (Inter1 -> Root CA) as CA, the
> client sends just the client's cert (not the whole chain).
>
> But I cannot authenticate server because - as I understand - I don't
> have its CA. Can I do anything about it? Bah. I know it'd be best to
> upgrade to 1.1.1 but it ain't that easy here.
>
>
> On 21/01/2021 16:12, Mariusz Kruk via rsyslog wrote:
>> I'm not sure I understand it.
>>
>> I thought that I load chains on client's side in tls.mycert for
>> presenting it to the server and tls.cacert is for verifying server's
>> certificate.
>>
>> And from the server's side - the opposite - cacert for verifying
>> clients and mycert for showing to them.
>>
>> Is it not so?
>>
>> On 21/01/2021 16:06, Andre Lorbach via rsyslog wrote:
>>> Let me jump into the discussion, for OpenSSL 1.1.0 and higher we can
>>> use
>>> "SSL_use_certificate_chain_file" to set the certificate chain file
>>> and apply
>>> it to the SSL Context.
>>> For OpenSSL 1.0.2, we only can load the chained certificate if we use
>>> "SSL_CTX_load_verify_locations" which loads the configured
>>> certificate only
>>> if NO CA certificate is configured.
>>>
>>> I am not sure if this has been properly documented yet, if not I
>>> will have
>>> this done ASAP.
>>>
>>> Best regards,
>>> Andre Lorbach
>>> --
>>> Adiscon GmbH
>>> Mozartstr. 21
>>> 97950 Großrinderfeld, Germany
>>> Ph. +49-9349-9298530
>>> Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
>>> 560610
>>> Ust.-IDNr.: DE 81 22 04 622
>>> Web: www.adiscon.com - Mail: info@adiscon.com
>>>
>>> Informations regarding your data privacy policy can be found here:
>>> https://www.adiscon.com/data-privacy-policy/
>>>
>>> This e-mail may contain confidential and/or privileged information.
>>> If you
>>> are not the intended recipient or have received this e-mail in error
>>> please
>>> notify the sender immediately and delete this e-mail. Any unauthorized
>>> copying, disclosure or distribution of the material in this e-mail is
>>> strictly forbidden.
>>>
>>> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
>>> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
>>> E-Mail
>>> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender
>>> und
>>> vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
>>> Weitergabe dieser E-Mail sind nicht gestattet.
>>>
>>>
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von
>>>> Mariusz
>>>> Kruk via rsyslog
>>>> Gesendet: Donnerstag, 21. Januar 2021 15:07
>>>> An: rsyslog@lists.adiscon.com
>>>> Cc: Mariusz Kruk <mkr@safecomp.com>
>>>> Betreff: Re: [rsyslog] Forcing openssl-1.1.1 on Centos7
>>>>
>>>> And... ladies and gentlemen... it's getting weirder and weirder.
>>>>
>>>> I got focused on what's not working that missed the fact that on many
>>>> other
>>>> rsyslog instances the chained certs seem to be working OK.
>>>>
>>>> And here's where it gets confusing.
>>>>
>>>> I have two different sites with a pretty identical config except
>>>> for IPs
>>>> and
>>>> certs.
>>>>
>>>> One of those sites connects OK to a RELP receiver, another one -
>>>> doesn't.
>>>>
>>>> OK. So I try to do just plain openssl s_client -connect with a
>>>> certificate
>>>> that I
>>>> have for each machine.
>>>>
>>>> For one machine it works - the client shows full certificate path
>>>> (Subject,Intermediate1,Root,Root), for the other one - the client
>>>> shows
>>>> only
>>>> the subject's certificate (whereas the file contains
>>>> Subject,Intermediate2,Root,Root).
>>>>
>>>> But if i try and do openssl verify, each step of the chain does verify
>>>> properly.
>>>>
>>>> So it's no wonder that if the remote end shows only its Subject
>>>> certificate
>>>> without proper chain, the server responds with "go away, I don't
>>>> know your
>>>> CA". That's pretty normal.
>>>>
>>>> To make things even more confusing RELP input shows also only Subject
>>>> certificate in Server Hello message even though it does have the same
>>>> Intermediate1,Root,Root path as the working client.
>>>>
>>>> As you can imagine, I'm going a bit bananas at the moment ;-)
>>>>
>>>> Anyone ever had similar problem?
>>>>
>>>> Mariusz Kruk
>>>> Ekspert ds. Bezpiecze?stwa IT
>>>> COMP S.A.
>>>> Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
>>>> e-mail: mariusz.kruk@comp.com.pl
>>>> e-mail: mariusz.kruk@safecomp.com
>>>> tel: +48 608 623 299
>>>>
>>>> On 21/01/2021 12:32, Mariusz Kruk via rsyslog wrote:
>>>>> OK. It turned out I cannot read ;-)
>>>>>
>>>>> But seriously - the docs state that chained certs should work with
>>>>> openssl 1.0.2 (I have no idea why I read it at first as "1.0.7" or
>>>>> something like that; is there such version at all? :-)) but you only
>>>>> get one ssl context. OK, that's fine by me. But even though I
>>>>> configured chained certs, I still get the server helo with only a
>>>>> single cert. Seems I'll have to dig deeper.
>>>>>
>>>>> Are there any caveats I should be aware of?
>>>>>
>>>>> On 21/01/2021 11:22, Mariusz Kruk via rsyslog wrote:
>>>>>> Sure. I can rebuild whole rsyslog package or just the RELP
>>>>>> components
>>>>>> :-)
>>>>>>
>>>>>> I just wanted to avoid custom building altogether because that
>>>>>> introduces another level of support burden on my side :-)
>>>>>>
>>>>>> I can't understand one more thing though.
>>>>>>
>>>>>> I'm trying to set up two different RELP inputs with two different CA
>>>>>> certificates. In fact, I have at least three RELP inputs but it
>>>>>> seems
>>>>>> that all are obviously affected.
>>>>>>
>>>>>> It seems that, unfortunately, with openssl-1.0.2 the certs, even
>>>>>> though provided on a per-input basis configure main openssl context
>>>>>> and only the "first ones" work. So even though I define different
>>>>>> sets of certs for each input, I get the same certs bound to all
>>>>>> inputs. Is it just a restriction of openssl-1.0.2 and there's no way
>>>>>> around it? Or is it somehow "workaroundable" in 8.2012? (for now I
>>>>>> only upgraded up to 8.2010 because it dind't force me to change my
>>>>>> config).
>>>>>>
>>>>>> I would very much like to avoid custom building so I'm starting to
>>>>>> think about leaving rsyslog-based TLS encryption and just offloading
>>>>>> it to stunnel. I'm not sure though if it won't raise new problems.
>>>>>>
>>>>>>
>>>>>> On 21/01/2021 10:30, Rainer Gerhards wrote:
>>>>>>> you can always rebuild librelp yourself - that's the obvious
>>>>>>> solution...
>>>>>>>
>>>>>>> My 2cts
>>>>>>> Rainer
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>>> you DON'T LIKE THAT.
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad of
>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>> DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>>> WELL:
>>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>>>> beyond
>>>> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
>>>> THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>> POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.