Mailing List Archive

Yes. People came across this error several times.

-110 GNUTLS_E_PREMATURE_TERMINATION The TLS connection was
non-properly terminated.

It means something is wrong with either the configuration or your network.

With such skimpy details we can't say much more.

Check your config, check your connection with openssl s_client, do a
tcpdump if necessary and see what's going on on the wire...

On 17.07.2023 06:29, Andrew Cowan via rsyslog wrote:
> Has anyone come across this error?
>
> This occurs in the logs when I do a logger test from client to server using TLS. Some kind of TLS error.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I suggest to use the openssl driver (ossl, separate package). A prime
reason for implementing openssl was that the gnutls error messages are
usually very unhelpful. this is much better with openssl.

Rainer

El lun, 17 jul 2023 a las 8:54, Mariusz Kruk via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Yes. People came across this error several times.
>
> -110 GNUTLS_E_PREMATURE_TERMINATION The TLS connection was
> non-properly terminated.
>
> It means something is wrong with either the configuration or your network.
>
> With such skimpy details we can't say much more.
>
> Check your config, check your connection with openssl s_client, do a
> tcpdump if necessary and see what's going on on the wire...
>
> On 17.07.2023 06:29, Andrew Cowan via rsyslog wrote:
> > Has anyone come across this error?
> >
> > This occurs in the logs when I do a logger test from client to server using TLS. Some kind of TLS error.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Followhttps://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

True that. Sometimes though you don't have much choice if you're
constrained by your distro's packages.

And I must say that TLS configuration is (or at least can be) hugely
messed up anyway.

But -110 typically says that the connection ended before it properly
went through all its stages and was properly closed. Usually (but not
always) it suggests that the remote end decided it doesn't like
something about us (our algorithms suite, our certificate validity or
lack thereof, our DN or SAN) and decided to close the connection
(possibly forcefully by just sending RST).

It might help to look into other end's logs - they might contain the
reason for such termination.

On 17.07.2023 09:37, Rainer Gerhards wrote:
> I suggest to use the openssl driver (ossl, separate package). A prime
> reason for implementing openssl was that the gnutls error messages are
> usually very unhelpful. this is much better with openssl.
>
> Rainer
>
> El lun, 17 jul 2023 a las 8:54, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>> Yes. People came across this error several times.
>>
>> -110 GNUTLS_E_PREMATURE_TERMINATION The TLS connection was
>> non-properly terminated.
>>
>> It means something is wrong with either the configuration or your network.
>>
>> With such skimpy details we can't say much more.
>>
>> Check your config, check your connection with openssl s_client, do a
>> tcpdump if necessary and see what's going on on the wire...
>>
>> On 17.07.2023 06:29, Andrew Cowan via rsyslog wrote:
>>> Has anyone come across this error?
>>>
>>> This occurs in the logs when I do a logger test from client to server using TLS. Some kind of TLS error.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thank you for your replies.

The client and server are on the same subnet (neighbors). Unencrypted traffic works fine.
I have gone for the most basic approach to try and get tls working.

One question?
Does the client need it's own certificate? I have just ensured it has the CA certificate of the server.

I would be happy to try Openssl. Can you provide what changes I would need to make to use this.

I test connectivity with openssl client connect that appears to work ok. So was thinking it was more rsyslog config specific.
________________________________
From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
Sent: Monday, July 17, 2023 7:43:27 pm
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Mariusz Kruk <kruk@epsilon.eu.org>
Subject: Re: [rsyslog] rsyslogd: unexpected gnutls error -110 in nsd_gtls.c:594:

True that. Sometimes though you don't have much choice if you're
constrained by your distro's packages.

And I must say that TLS configuration is (or at least can be) hugely
messed up anyway.

But -110 typically says that the connection ended before it properly
went through all its stages and was properly closed. Usually (but not
always) it suggests that the remote end decided it doesn't like
something about us (our algorithms suite, our certificate validity or
lack thereof, our DN or SAN) and decided to close the connection
(possibly forcefully by just sending RST).

It might help to look into other end's logs - they might contain the
reason for such termination.

On 17.07.2023 09:37, Rainer Gerhards wrote:
> I suggest to use the openssl driver (ossl, separate package). A prime
> reason for implementing openssl was that the gnutls error messages are
> usually very unhelpful. this is much better with openssl.
>
> Rainer
>
> El lun, 17 jul 2023 a las 8:54, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribi?:
>> Yes. People came across this error several times.
>>
>> -110 GNUTLS_E_PREMATURE_TERMINATION The TLS connection was
>> non-properly terminated.
>>
>> It means something is wrong with either the configuration or your network.
>>
>> With such skimpy details we can't say much more.
>>
>> Check your config, check your connection with openssl s_client, do a
>> tcpdump if necessary and see what's going on on the wire...
>>
>> On 17.07.2023 06:29, Andrew Cowan via rsyslog wrote:
>>> Has anyone come across this error?
>>>
>>> This occurs in the logs when I do a logger test from client to server using TLS. Some kind of TLS error.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HuJLcCa9zGVWGrFhN7olMSJAKd7haLwjj7eo1G4sTu0%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4Fv8XG7dvYRqFpBhCPfyE%2B8%2Fan%2B18pAP1xnt8A0fSx8%3D&reserved=0<http://www.rsyslog.com/professional-services/>
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HuJLcCa9zGVWGrFhN7olMSJAKd7haLwjj7eo1G4sTu0%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog>
>> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4Fv8XG7dvYRqFpBhCPfyE%2B8%2Fan%2B18pAP1xnt8A0fSx8%3D&reserved=0<http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Fu3T%2Fo1R8NXjJ8Lsv64mfGjEzLxJp%2BBAz9przcvREJs%3D&reserved=0<https://twitter.com/rgerhards>
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HuJLcCa9zGVWGrFhN7olMSJAKd7haLwjj7eo1G4sTu0%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog>
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4Fv8XG7dvYRqFpBhCPfyE%2B8%2Fan%2B18pAP1xnt8A0fSx8%3D&reserved=0<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C01%7C%7C6afe0aff9b4e4a883e5f08db86997edb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638251766073220198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Fu3T%2Fo1R8NXjJ8Lsv64mfGjEzLxJp%2BBAz9przcvREJs%3D&reserved=0<https://twitter.com/rgerhards>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.



_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.