Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
RELP with TLS - authentication modes?
rsyslog at lists
Feb 11, 2021, 11:00 PM
Post #1 of 3 (356 views)
Permalink
Hi,

I'm setting up centralized logging with rsyslog and RELP and I want to
secure things with TLS.

However, it's not really clear to me what TLS authentication modes
rsyslog / RELP supports?

Is server authentication only supported or is mutual authentication
always required?

The documentation tutorials set up mutual authentication with
client certificates included, but I'm not sure if that is due to
them being required or just to provide a comprehensive example.

On the imrelp documentation page at:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html

Under TLS.PermittedPeer it says:
---
Peer places access restrictions on this listener.
Only peers which have been listed in this parameter may connect.
The validation bases on the certificate the remote peer presents.
---

To me it sounds like if you don't configure this, client authentication
is not required? But also...

Under TLS.AuthMode it says:
---
type | default | mandatory
----------------------------
string | none | no

Sets the mode used for mutual authentication.
---

This sounds like the actual setting for mutual authentication...

With this set to "none", I would assume mutual authentication is not
required?

Currently without configuring certificates on clients my TLS handshakes
are failing and now I'm unsure if it's due to TLS library issues or due to
client certificates being required?

It would be nice if mutual authentication is not required since the overhead
of creating certificates for every client is really big...
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: RELP with TLS - authentication modes? [ In reply to ]
rsyslog at lists
Feb 12, 2021, 12:05 AM
Post #2 of 3 (356 views)
Permalink
On the other hand - what's the point of using TLS if you don't want to
authenticate the sources?

OK, one may argue that it's to simply avoid the possibility of
eavesdropping into events on the wire but usually you're sending the
events over fairly secure networks. But the TLS authentication gives you
possibility of making sure that third parties do not connect to your
rsyslog server and spoof the events (or even try to DoS it with huge
amounts of data).

Just my two cents.

On 12.02.2021 08:00, Joonas Tuomisto via rsyslog wrote:
> Hi,
>
> I'm setting up centralized logging with rsyslog and RELP and I want to
> secure things with TLS.
>
> However, it's not really clear to me what TLS authentication modes
> rsyslog / RELP supports?
>
> Is server authentication only supported or is mutual authentication
> always required?
>
> The documentation tutorials set up mutual authentication with
> client certificates included, but I'm not sure if that is due to
> them being required or just to provide a comprehensive example.
>
> On the imrelp documentation page at:
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
>
> Under TLS.PermittedPeer it says:
> ---
> Peer places access restrictions on this listener.
> Only peers which have been listed in this parameter may connect.
> The validation bases on the certificate the remote peer presents.
> ---
>
> To me it sounds like if you don't configure this, client authentication
> is not required? But also...
>
> Under TLS.AuthMode it says:
> ---
> type | default | mandatory
> ----------------------------
> string | none | no
>
> Sets the mode used for mutual authentication.
> ---
>
> This sounds like the actual setting for mutual authentication...
>
> With this set to "none", I would assume mutual authentication is not
> required?
>
> Currently without configuring certificates on clients my TLS handshakes
> are failing and now I'm unsure if it's due to TLS library issues or due to
> client certificates being required?
>
> It would be nice if mutual authentication is not required since the overhead
> of creating certificates for every client is really big...
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: RELP with TLS - authentication modes? [ In reply to ]
rsyslog at lists
Feb 12, 2021, 6:05 AM
Post #3 of 3 (356 views)
Permalink
Hi,

Try enabling debug output in rsyslog to see what actual tls error is
happening.
By default, it should be no problem to use anon ciphers if your authmode
is anon.

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: info@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error
please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
Weitergabe dieser E-Mail sind nicht gestattet.



> -----Ursprüngliche Nachricht-----
> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Joonas
> Tuomisto via rsyslog
> Gesendet: Freitag, 12. Februar 2021 08:00
> An: rsyslog@lists.adiscon.com
> Cc: Joonas Tuomisto <jootuom@gmail.com>
> Betreff: [rsyslog] RELP with TLS - authentication modes?
>
> Hi,
>
> I'm setting up centralized logging with rsyslog and RELP and I want to
secure
> things with TLS.
>
> However, it's not really clear to me what TLS authentication modes
rsyslog /
> RELP supports?
>
> Is server authentication only supported or is mutual authentication
always
> required?
>
> The documentation tutorials set up mutual authentication with client
> certificates included, but I'm not sure if that is due to them being
required or
> just to provide a comprehensive example.
>
> On the imrelp documentation page at:
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
>
> Under TLS.PermittedPeer it says:
> ---
> Peer places access restrictions on this listener.
> Only peers which have been listed in this parameter may connect.
> The validation bases on the certificate the remote peer presents.
> ---
>
> To me it sounds like if you don't configure this, client authentication
is not
> required? But also...
>
> Under TLS.AuthMode it says:
> ---
> type | default | mandatory
> ----------------------------
> string | none | no
>
> Sets the mode used for mutual authentication.
> ---
>
> This sounds like the actual setting for mutual authentication...
>
> With this set to "none", I would assume mutual authentication is not
> required?
>
> Currently without configuring certificates on clients my TLS handshakes
are
> failing and now I'm unsure if it's due to TLS library issues or due to
client
> certificates being required?
>
> It would be nice if mutual authentication is not required since the
overhead
> of creating certificates for every client is really big...
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal