Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86031

rsyslog-gnutls is not sending complete CA chain and fails to complete the connection when rsyslog-ossl does using same configuration.

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • None
    • rhel-security-special-projects
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Send encrypted syslog events using gtls driver.
      rsyslog-gnutls is not sending complete CA chain and fails to complete the connection, this is opposed to just switching to rsyslog-ossl driver with the same configuration.

      • All host certificates are signed by the intermediate certificate.
      • Remote side has the root ca and verify chain option with TLSv1.2.

        What is the impact of this issue to you?

      Cannot deliver events using syslog over tls with gnutls driver

      Please provide the package NVR for which the bug is seen:

      rsyslog-8.2310.0-4.el9.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Syslog client:
      # cat /etc/rsyslog.d/10-remotetls.conf
global(
        debug.gnutls="10"
        defaultnetstreamdrivercafile    = "/etc/pki/tls/syslog/chainca.pem"
        defaultnetstreamdrivercertfile  = "/etc/pki/tls/syslog/r95cert.pem"
        defaultnetstreamdriverkeyfile   = "/etc/pki/tls/syslog/r95cert.key"
        )
ruleset( name="to_remote_tls" )
{
    action( type="omfwd"
        target  = "r94"
        port    = "6514"
        protocol= "tcp"
        # and queue to disk if needs be
        queue.spoolDirectory="/var/lib/rsyslog"
        queue.filename="tls_fwd"
        queue.type="LinkedList"
        queue.saveonshutdown="on"
        queue.maxdiskspace="1g"
        action.resumeretrycount="-1"
        action.reportsuspension="on"
        streamdriver="gtls"
        streamdrivermode="1"
        streamdriverauthmode="x509/name"
        streamdriverpermittedpeers="r94"
        )
}
call to_remote_tls
      1. Server:
      # cat /etc/rsyslog.d/15-reception.conf 
module( load="imptcp" )
input(  type="imptcp"
        port="514"
        ruleset="remote_store"
)
ruleset( name="remote_store" )
{
        action( type="omfile" file="/var/log/r95.log" )
}
      1. stunnel application on server side to enforce the verification of the peer certificate chain if present:
      # cat /etc/stunnel/stunnel.conf 
cert = /etc/pki/tls/syslog/r94cert.pem
key = /etc/pki/tls/syslog/r94cert.key
CAfile = /etc/pki/tls/syslog/rootca.pem
verify = 1
sslVersion = TLSv1.2
[syslog]
accept = 6514
connect = 514

      Expected results

      message gets delivered same as with just changing 'streamdriver="gtls"' to 'streamdriver="ossl"' and restarting the client.

      Actual results

      Generic TLS error message:

       

      Apr  3 17:01:32 r95 rsyslogd[1189]: unexpected GnuTLS error -12 in nsd_gtls.c:2306: A TLS fatal alert has been received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2078 ]

      In debug mode we have additional information:

      0432.351314817:action-0-builtin:omfwd queue:Reg/w0: nsd_gtls.c: GnuTLS log msg, level 5: REC[0x7f6934037bb0]: Alert[2|48] - CA is unknown - was received
[..]
0432.351330146:action-0-builtin:omfwd queue:Reg/w0: errmsg.c: Called LogMsg, msg: unexpected GnuTLS error -12 in nsd_gtls.c:2306: A TLS fatal alert has been received.

       

       

              rh-ee-alakatos Attila Lakatos
              rhn-support-jgamba Juan Gamba
              Attila Lakatos Attila Lakatos
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: