[rsyslog] TLS certificates
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Dec 2 17:52:25 CET 2008
Jup, that's the problem.
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Juan Miscaro
> Sent: Tuesday, December 02, 2008 5:40 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] TLS certificates
>
> My boxes are running 3.18.1
>
> /juan
>
> 2008/12/2 Rainer Gerhards <rgerhards at hq.adiscon.com>:
> > Too old version?
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Juan Miscaro
> >> Sent: Tuesday, December 02, 2008 5:31 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] TLS certificates
> >>
> >> 2008/12/2 RB <aoz.syn at gmail.com>:
> >> > On Tue, Dec 2, 2008 at 06:55, Juan Miscaro <jmiscaro at gmail.com>
> >> wrote:
> >> >> "neither the client nor the server are authenticated. So while
> the
> >> >> message transfer is encrypted, you can not be sure which peer
you
> >> are
> >> >> talking to"
> >> >
> >> > I'm hoping Rainer will jump in and clarify precisely how much
> >> > handshake validation he's implemented. The fact that the client
> > must
> >> > have a copy of the CA's public material seems to indicate he is
at
> >> > least verifying that the server's certificate was issued by the
> CA.
> >> > It's possible to not do so, but the result is rather susceptible
> to
> >> > MITM.
> >> >
> >> >> Also, how can client encrypt without having any keys specified
in
> >> its config?
> >> >
> >> > This isn't the forum to discuss the particulars of the SSL
> > handshake,
> >> > but suffice it to say that SSL incorporates a challenge/response
> >> > mechanism (using the server's presented certificate) followed by
> >> > negotiation of an ephemeral session key. See also: public-key
> >> > cryptography.
> >> >
> >> >> $DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
> >> >> $ActionSendStreamDriverAuthMode anon # server is NOT
> authenticated
> >> >>
> >> >> 2nd question: Why is the server not authenticated?
> >> >
> >> > Without looking at the code, I presume the 'anon' AuthMode is the
> >> > switch used to tell the SSL library whether or not to check the
> >> server
> >> > certificate against the CA. If so, it should make specifying the
> CA
> >> > public key redundant - the client just accepts whatever
> certificate
> >> > the server (or MITM) presents and starts encrypting to it.
> >>
> >> Thank you. I change my config and logging is hapenning on the
> server
> >> end. However, I get such lines in the logs on the server end when
I
> >> restart the client system:
> >>
> >> invalid or yet-unknown config file command - have you forgotten to
> >> load a module?
> >> the last error occured in /etc/rsyslog.conf, line 42
> >> invalid or yet-unknown config file command - have you forgotten to
> >> load a module?
> >> the last error occured in /etc/rsyslog.conf, line 45
> >> invalid or yet-unknown config file command - have you forgotten to
> >> load a module?
> >> the last error occured in /etc/rsyslog.conf, line 46
> >> invalid or yet-unknown config file command - have you forgotten to
> >> load a module?
> >> the last error occured in /etc/rsyslog.conf, line 47
> >> invalid or yet-unknown config file command - have you forgotten to
> >> load a module?
> >> the last error occured in /etc/rsyslog.conf, line 49
> >> invalid or yet-unknown config file command - have you forgotten to
> >> load a module?
> >> the last error occured in /etc/rsyslog.conf, line 51
> >>
> >>
> >> This happens for each TLS line in my client config (comments
> removed):
> >>
> >> $DefaultNetstreamDriver gtls
> >> $DefaultNetstreamDriverCAFile /home/client/Data/tls/ca/ca.pem
> >> $DefaultNetstreamDriverCertFile
/home/client/Data/tls/client/client-
> >> cert.pem
> >> $DefaultNetstreamDriverKeyFile /home/client/Data/tls/client/client-
> >> key.pem
> >> $ActionSendStreamDriverAuthMode x509/name
> >> $ActionSendStreamDriverMode 1
> >> *.* @@192.168.4.102:10514
> >>
> >>
> >> /juan
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
More information about the rsyslog
mailing list