dj.turkmaster at gmail
Jan 21, 2012, 12:55 AM
Post #2 of 2
(200 views)
Permalink
|
|
Re: How to accept tls messages from all peers
[In reply to]
|
|
Okay I have made some progress but I still need some help, I have created
the ssl certificates and my rsyslog.conf is like this:
*Client rsyslog.conf:*
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /root/ssl/ca.pem
$DefaultNetstreamDriverCertFile /root/ssl/cert.pem
$DefaultNetstreamDriverKeyFile /root/ssl/key.pem
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
:rawmsg, contains , "dansguardian" @@server.myhostname.com:7890;Alpformat
And to the client's /etc/hosts file I have added the server's ip adress and
hostname entry
192.168.2.207 server.myhostname.com (this is something I can do, but I
cannot add the client's ip to the server's hostfile)
*Server rsyslog.conf*
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /root/ssl/ca.pem
$DefaultNetstreamDriverCertFile /root/ssl/cert.pem
$DefaultNetstreamDriverKeyFile /root/ssl/key.pem
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 7890
$template FileFormat,"%rawmsg%\n"
$template webfile,"/var/log/webfilter-%fromhost-ip%.log"
:rawmsg, contains , "dansguardian" -?webfile;FileFormat
And I get an error message on the clients rsyslog debug log:
5402.926211647:b4da8b90: --------<NSDSEL_PTCP> calling select, active fds
(max 6): 5 6
5406.181947207:b4da8b90: hasRcvInBuffer on nsd 0x942eb50: pszRcvBuf (nil),
lenRcvBuf 0
5406.181989083:b4da8b90: hasRcvInBuffer on nsd 0x9430330: pszRcvBuf (nil),
lenRcvBuf 0
5406.182000181:b4da8b90: tcpsrv: ready to process 1 event entries
5406.182009712:b4da8b90: tcpsrv: processing item 1, pUsr 0x942d398,
bAbortConn
5406.182018873:b4da8b90: New connect on NSD 0x942dc10.
5406.182056336:b4da8b90: dnscache: entry (nil) found
*5406.246851507:b4da8b90: Host name for your address (192.168.0.156) unknown
5406.246911619:b4da8b90: tcpsrv: error -2020 during accept*
5406.246936472:b4da8b90: hasRcvInBuffer on nsd 0x942eb50: pszRcvBuf (nil),
lenRcvBuf 0
5406.246947385:b4da8b90: hasRcvInBuffer on nsd 0x9430330: pszRcvBuf (nil),
lenRcvBuf 0
And also in the server debug log:
5444.008547267:b6120b90: GTLS CA file: '/root/ssl/ca.pem'
5444.009915890:b6120b90: source file nsdsel_gtls.c requested reference for
module 'lmnsd_ptcp', reference count now 2
5444.009927732:b6120b90: module lmnsd_gtls of type 2 being loaded.
5444.009933381:b6120b90: entry point 'isCompatibleWithFeature' not present
in module
5444.009938112:b6120b90: entry point 'getModCnfName' not present in module
5444.009942681:b6120b90: entry point 'beginCnfLoad' not present in module
5444.009948825:b6120b90: source file netstrms.c requested reference for
module 'lmnsd_gtls', reference count now 1
*5444.079660215:b6120b90: unexpected GnuTLS error -9 in nsd_gtls.c:1624: A
TLS packet with unexpected length was received.*
5444.079774753:b6120b90: file netstrms.c released module 'lmnsd_gtls',
reference count now 0
5444.079781678:b6120b90: module 'lmnsd_gtls' has zero reference count,
unloading...
5444.079786859:b6120b90: Unloading module lmnsd_gtls
But when I add the client's hostname and ip to the server's hosts file
(wihch normally I cannot but for testing purposes I can)
192.168.0.156 machine.example.net
I get no errors and messages are delivered succesfully.
As I said normally I will not be able to know the clients' dns names they
may not even have a dns record. It is strange rsyslog looks for a hostname
in tls connection. Why would that be needed? Are there any solutions any
workarounds? Am I missing something?
2012/1/20 alptugay değirmencioğlu <dj.turkmaster [at] gmail>
> Hello all,
> I have one server and multiple clients sending messages to the server
> using tls. I dont know the clients' hostnames and they are not on my
> network, they are across the internet. So I want my rsyslog server to
> accept all incoming tls messages. What should I enter to the server's
> InputTCPServerStreamDriverPermittedPeer
> parameter?
>
> And also do I have to create a private key and certificate for each
> client. I am asking this because in this link it says I have to
> http://rsyslog.com/doc/tls_cert_machine.html
>
> But in this link
> http://rsyslog.com/doc/rsyslog_tls.html
> it says that:
> The client setup is equally simple. You need less certificates, just the
> CA cert.
>
> So it means that I just need to copy ca.cert to each client but not create
> any certificate for them, which I think is the right approach. But the
> first link confuses me.
>
> If the first link is true and I need to create a certificate and private
> key for each clients what do I have to enter
> Common name:
>
> Enter the dnsName of the subject of the certificate:
>
> To these questions. As I said I don't and can't know their hostnames.
>
>
> Thanks for reading
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
|
