[rsyslog] TLS certificates
Juan Miscaro
jmiscaro at gmail.com
Tue Dec 2 17:39:49 CET 2008
My boxes are running 3.18.1
/juan
2008/12/2 Rainer Gerhards <rgerhards at hq.adiscon.com>:
> Too old version?
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Juan Miscaro
>> Sent: Tuesday, December 02, 2008 5:31 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] TLS certificates
>>
>> 2008/12/2 RB <aoz.syn at gmail.com>:
>> > On Tue, Dec 2, 2008 at 06:55, Juan Miscaro <jmiscaro at gmail.com>
>> wrote:
>> >> "neither the client nor the server are authenticated. So while the
>> >> message transfer is encrypted, you can not be sure which peer you
>> are
>> >> talking to"
>> >
>> > I'm hoping Rainer will jump in and clarify precisely how much
>> > handshake validation he's implemented. The fact that the client
> must
>> > have a copy of the CA's public material seems to indicate he is at
>> > least verifying that the server's certificate was issued by the CA.
>> > It's possible to not do so, but the result is rather susceptible to
>> > MITM.
>> >
>> >> Also, how can client encrypt without having any keys specified in
>> its config?
>> >
>> > This isn't the forum to discuss the particulars of the SSL
> handshake,
>> > but suffice it to say that SSL incorporates a challenge/response
>> > mechanism (using the server's presented certificate) followed by
>> > negotiation of an ephemeral session key. See also: public-key
>> > cryptography.
>> >
>> >> $DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
>> >> $ActionSendStreamDriverAuthMode anon # server is NOT authenticated
>> >>
>> >> 2nd question: Why is the server not authenticated?
>> >
>> > Without looking at the code, I presume the 'anon' AuthMode is the
>> > switch used to tell the SSL library whether or not to check the
>> server
>> > certificate against the CA. If so, it should make specifying the CA
>> > public key redundant - the client just accepts whatever certificate
>> > the server (or MITM) presents and starts encrypting to it.
>>
>> Thank you. I change my config and logging is hapenning on the server
>> end. However, I get such lines in the logs on the server end when I
>> restart the client system:
>>
>> invalid or yet-unknown config file command - have you forgotten to
>> load a module?
>> the last error occured in /etc/rsyslog.conf, line 42
>> invalid or yet-unknown config file command - have you forgotten to
>> load a module?
>> the last error occured in /etc/rsyslog.conf, line 45
>> invalid or yet-unknown config file command - have you forgotten to
>> load a module?
>> the last error occured in /etc/rsyslog.conf, line 46
>> invalid or yet-unknown config file command - have you forgotten to
>> load a module?
>> the last error occured in /etc/rsyslog.conf, line 47
>> invalid or yet-unknown config file command - have you forgotten to
>> load a module?
>> the last error occured in /etc/rsyslog.conf, line 49
>> invalid or yet-unknown config file command - have you forgotten to
>> load a module?
>> the last error occured in /etc/rsyslog.conf, line 51
>>
>>
>> This happens for each TLS line in my client config (comments removed):
>>
>> $DefaultNetstreamDriver gtls
>> $DefaultNetstreamDriverCAFile /home/client/Data/tls/ca/ca.pem
>> $DefaultNetstreamDriverCertFile /home/client/Data/tls/client/client-
>> cert.pem
>> $DefaultNetstreamDriverKeyFile /home/client/Data/tls/client/client-
>> key.pem
>> $ActionSendStreamDriverAuthMode x509/name
>> $ActionSendStreamDriverMode 1
>> *.* @@192.168.4.102:10514
>>
>>
>> /juan
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
More information about the rsyslog
mailing list