[rsyslog] TLS certificates
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Dec 2 17:31:13 CET 2008
Too old version?
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Juan Miscaro
> Sent: Tuesday, December 02, 2008 5:31 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] TLS certificates
>
> 2008/12/2 RB <aoz.syn at gmail.com>:
> > On Tue, Dec 2, 2008 at 06:55, Juan Miscaro <jmiscaro at gmail.com>
> wrote:
> >> "neither the client nor the server are authenticated. So while the
> >> message transfer is encrypted, you can not be sure which peer you
> are
> >> talking to"
> >
> > I'm hoping Rainer will jump in and clarify precisely how much
> > handshake validation he's implemented. The fact that the client
must
> > have a copy of the CA's public material seems to indicate he is at
> > least verifying that the server's certificate was issued by the CA.
> > It's possible to not do so, but the result is rather susceptible to
> > MITM.
> >
> >> Also, how can client encrypt without having any keys specified in
> its config?
> >
> > This isn't the forum to discuss the particulars of the SSL
handshake,
> > but suffice it to say that SSL incorporates a challenge/response
> > mechanism (using the server's presented certificate) followed by
> > negotiation of an ephemeral session key. See also: public-key
> > cryptography.
> >
> >> $DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
> >> $ActionSendStreamDriverAuthMode anon # server is NOT authenticated
> >>
> >> 2nd question: Why is the server not authenticated?
> >
> > Without looking at the code, I presume the 'anon' AuthMode is the
> > switch used to tell the SSL library whether or not to check the
> server
> > certificate against the CA. If so, it should make specifying the CA
> > public key redundant - the client just accepts whatever certificate
> > the server (or MITM) presents and starts encrypting to it.
>
> Thank you. I change my config and logging is hapenning on the server
> end. However, I get such lines in the logs on the server end when I
> restart the client system:
>
> invalid or yet-unknown config file command - have you forgotten to
> load a module?
> the last error occured in /etc/rsyslog.conf, line 42
> invalid or yet-unknown config file command - have you forgotten to
> load a module?
> the last error occured in /etc/rsyslog.conf, line 45
> invalid or yet-unknown config file command - have you forgotten to
> load a module?
> the last error occured in /etc/rsyslog.conf, line 46
> invalid or yet-unknown config file command - have you forgotten to
> load a module?
> the last error occured in /etc/rsyslog.conf, line 47
> invalid or yet-unknown config file command - have you forgotten to
> load a module?
> the last error occured in /etc/rsyslog.conf, line 49
> invalid or yet-unknown config file command - have you forgotten to
> load a module?
> the last error occured in /etc/rsyslog.conf, line 51
>
>
> This happens for each TLS line in my client config (comments removed):
>
> $DefaultNetstreamDriver gtls
> $DefaultNetstreamDriverCAFile /home/client/Data/tls/ca/ca.pem
> $DefaultNetstreamDriverCertFile /home/client/Data/tls/client/client-
> cert.pem
> $DefaultNetstreamDriverKeyFile /home/client/Data/tls/client/client-
> key.pem
> $ActionSendStreamDriverAuthMode x509/name
> $ActionSendStreamDriverMode 1
> *.* @@192.168.4.102:10514
>
>
> /juan
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
More information about the rsyslog
mailing list