Mailing List Archive

Fwd: Disable Client Certificate Request
Hi everybody,
I am trying to get a Synology NAS to send its internal logs to a VM
running rsyslog via TCP and TLS. The transmission works fine using UDP
but once I enable encryption in the Synology, I am getting a (not very
helpful) error message (see attached).

Eventually I recorded the traffic with tcpdump on the VM running rsyslog
and I see the a repeating pattern (second attachment).

As you can see, the connection is reset after an internal error by the
Synology box which happens right after the server HELLO. To me it looks
like the rsyslog server is doing a certificate request for client auth
but that is not supported by the Synology and so it crashes (I can only
upload a CA to verify the server certificate but not a client cert).

How can I disable this behavior? I am using StreamDriver.Authmode="anon"
which should disable the client certificate request.

Please find attached the rsyslog.conf in question.
Thank you very much in advance

OS: Fedora 35
Packages:
rsyslog.x86_64 8.2204.0-1.fc35 @updates-testing
rsyslog-gnutls.x86_64 8.2204.0-1.fc35 @updates-testing
rsyslog-openssl.x86_64 8.2204.0-1.fc35 @updates-testing
Re: Fwd: Disable Client Certificate Request [ In reply to ]
If you want to use certless TLS communication, there is no need to configure
DefaultNetstreamDriverCAFile, DefaultNetstreamDriverCertFile or
DefaultNetstreamDriverKeyFile.
See our sample configuratrions from the testbench:
https://github.com/rsyslog/rsyslog/blob/91885676001c9df1c2c91514d144cf71755d5d14/tests/sndrcv_tls_gtls_serveranon_gtls_clientanon.sh

I would recommend to switch over to the openssl (ossl) driver which gives us
way more detailed error messages.
My guess is that rsyslog and your NAS are not finding a shared cipher.

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: info@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
Weitergabe dieser E-Mail sind nicht gestattet.


> -----Ursprüngliche Nachricht-----
> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Solarer
> via
> rsyslog
> Gesendet: Dienstag, 17. Mai 2022 17:46
> An: rsyslog@lists.adiscon.com
> Cc: Solarer <solarer@hotmail.de>
> Betreff: [rsyslog] Fwd: Disable Client Certificate Request
>
> Hi everybody,
> I am trying to get a Synology NAS to send its internal logs to a VM
> running
> rsyslog via TCP and TLS. The transmission works fine using UDP but once I
> enable encryption in the Synology, I am getting a (not very
> helpful) error message (see attached).
>
> Eventually I recorded the traffic with tcpdump on the VM running rsyslog
> and
> I see the a repeating pattern (second attachment).
>
> As you can see, the connection is reset after an internal error by the
> Synology box which happens right after the server HELLO. To me it looks
> like
> the rsyslog server is doing a certificate request for client auth but that
> is not
> supported by the Synology and so it crashes (I can only upload a CA to
> verify
> the server certificate but not a client cert).
>
> How can I disable this behavior? I am using StreamDriver.Authmode="anon"
> which should disable the client certificate request.
>
> Please find attached the rsyslog.conf in question.
> Thank you very much in advance
>
> OS: Fedora 35
> Packages:
> rsyslog.x86_64 8.2204.0-1.fc35 @updates-testing
> rsyslog-gnutls.x86_64 8.2204.0-1.fc35 @updates-testing
> rsyslog-openssl.x86_64 8.2204.0-1.fc35 @updates-testing
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.