Hi.
I'm getting slowly driven insane with the TLS intricacies ;-)
I have a setup with rsyslog 8.2010 (yes, I know it's a relatively dated
version; at the moment can't do much about it) on CentOS. It's
custom-compiled against Openssl 1.1 since default CentOS packagets use
1.0 and don't support "full" certificates. I have RELP inputs and
outputs - all with TLS. I also have a SuSE box with 8.2106
(distro-provided). And for the love of god I can't make them connect
over RELP/TLS. Whatever tls.prioritystring I configure on the "client",
it keeps connecting with TLS1.2 hello which is refused by the server.
And I can't fiddle with the server's settings too much since it's a
legacy system and too many systems connect to it.
I tried simply creating another RELP input so that all "old" clients
connect to the old inputs as they used to, but let the one client
connect to the new one and worry about migrating all clients to a common
setting scheme a bit later. But if I run a standalone rsyslogd with just
one RELP input, I can do it with just default settings whereas if I
configure an input on server, regardless of the tls.tlscfgcmd settings,
I'm still getting the input listening on TLS1.1 only.
input(
ruleset="process-raw"
Type="imrelp"
Name="RELP/TLS://hostname:19516"
Address="my_IP"
Port="19516"
oversizeMode="truncate"
flowControl="light"
TLS="on"
TLS.Compression="on"
TLS.CaCert="/etc/pki/tls/certs/CA.pem"
tls.myCert="/etc/pki/tls/certs/cert.pem"
TLS.MyPrivKey="/etc/pki/tls/private/rsyslog.key"
tls.tlscfgcmd="Protocol=TLSv1.2"
)
Even though my input is defined like that, it still responds to TLS1.1
only. I suspect that the first configured tls.tlscfgcmd (which in my
case would be in an output action part) takes precedence and is set as
global default. Can this be true? Because that would make sense since my
output omrelp action does have TLS1.1 set.
Best regards,
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I'm getting slowly driven insane with the TLS intricacies ;-)
I have a setup with rsyslog 8.2010 (yes, I know it's a relatively dated
version; at the moment can't do much about it) on CentOS. It's
custom-compiled against Openssl 1.1 since default CentOS packagets use
1.0 and don't support "full" certificates. I have RELP inputs and
outputs - all with TLS. I also have a SuSE box with 8.2106
(distro-provided). And for the love of god I can't make them connect
over RELP/TLS. Whatever tls.prioritystring I configure on the "client",
it keeps connecting with TLS1.2 hello which is refused by the server.
And I can't fiddle with the server's settings too much since it's a
legacy system and too many systems connect to it.
I tried simply creating another RELP input so that all "old" clients
connect to the old inputs as they used to, but let the one client
connect to the new one and worry about migrating all clients to a common
setting scheme a bit later. But if I run a standalone rsyslogd with just
one RELP input, I can do it with just default settings whereas if I
configure an input on server, regardless of the tls.tlscfgcmd settings,
I'm still getting the input listening on TLS1.1 only.
input(
ruleset="process-raw"
Type="imrelp"
Name="RELP/TLS://hostname:19516"
Address="my_IP"
Port="19516"
oversizeMode="truncate"
flowControl="light"
TLS="on"
TLS.Compression="on"
TLS.CaCert="/etc/pki/tls/certs/CA.pem"
tls.myCert="/etc/pki/tls/certs/cert.pem"
TLS.MyPrivKey="/etc/pki/tls/private/rsyslog.key"
tls.tlscfgcmd="Protocol=TLSv1.2"
)
Even though my input is defined like that, it still responds to TLS1.1
only. I suspect that the first configured tls.tlscfgcmd (which in my
case would be in an output action part) takes precedence and is set as
global default. Can this be true? Because that would make sense since my
output omrelp action does have TLS1.1 set.
Best regards,
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.