Mailing List Archive

Use only DefaultNetstreamDriverCAFile for TLS log submission
Hi everybody, I am configuring clients to talk to the rsyslog server via
TCP and TLS.
Everything works if I create a certificate for each client and configure
these options:

# certificate files
$DefaultNetstreamDriverCAFile /cert/cacert.pem
$DefaultNetstreamDriverCertFile /cert/a_client.crt
$DefaultNetstreamDriverKeyFile /cert/a_client.key

# set up the action
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

Searching on the internet I found a few sites that say that is enough to
use only CA certificate (e.g.
https://fatmin.com/2014/07/17/rhel6-configuring-encrypted-remote-logging-via-rsyslog/
):

# -- TLS Syslog Client:
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem

But If try to use only CA certificate, the client does not communicate
to the server.

Am I doing something wrong? Or it is not possible to use only the CA
certificate anymore?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Use only DefaultNetstreamDriverCAFile for TLS log submission [ In reply to ]
Thank you for setting it up correctly the first time.  Generating a
certificate for each client is the correct thing to do from a security
perspective!

Shortcuts like that are fine until you put on the security hat.  Then
you have to realize and enforce the fact that you don't shortcut proper
security for convenience.

I know that doesn't answer your question, but you already have the
proper solution.

Regards,


On 6/14/19 9:50 AM, egobrc--- via rsyslog wrote:
> Hi everybody, I am configuring clients to talk to the rsyslog server via
> TCP and TLS.
> Everything works if I create a certificate for each client and configure
> these options:
>
> # certificate files
> $DefaultNetstreamDriverCAFile /cert/cacert.pem
> $DefaultNetstreamDriverCertFile /cert/a_client.crt
> $DefaultNetstreamDriverKeyFile /cert/a_client.key
>
> # set up the action
> $DefaultNetstreamDriver gtls
> $ActionSendStreamDriverMode 1
> $ActionSendStreamDriverAuthMode anon
>
> Searching on the internet I found a few sites that say that is enough to
> use only CA certificate (e.g.
> https://fatmin.com/2014/07/17/rhel6-configuring-encrypted-remote-logging-via-rsyslog/
> ):
>
> # -- TLS Syslog Client:
> # certificate files - just CA for a client
> $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
>
> But If try to use only CA certificate, the client does not communicate
> to the server.
>
> Am I doing something wrong? Or it is not possible to use only the CA
> certificate anymore?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Use only DefaultNetstreamDriverCAFile for TLS log submission [ In reply to ]
up until recently, rsyslog also enforced a secure setup.
Unfortunately, people seemed to care less about it. We got so many
request that we now have a decently certless mode (DH proper
encryption, but MITM possible). Maybe those web sites describe that
mode. If you can use it boils down to the rsyslog version. I think
8.1903.0 is the minimum version that supports it.

Other than that I am with John - better do it right. Pls also consider
the risk that you may create personal liability due to malpractice.
Lawyers can argue it is malpractice not to follow security best
practices in the now very unfriendly world. Of course, it all depends
on your full setup.

An interim solution is to distribute the *same* cert to all clients.
So you at least know it's not from the outside.

Rainer

El vie., 14 jun. 2019 a las 18:32, John Chivian via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Thank you for setting it up correctly the first time. Generating a
> certificate for each client is the correct thing to do from a security
> perspective!
>
> Shortcuts like that are fine until you put on the security hat. Then
> you have to realize and enforce the fact that you don't shortcut proper
> security for convenience.
>
> I know that doesn't answer your question, but you already have the
> proper solution.
>
> Regards,
>
>
> On 6/14/19 9:50 AM, egobrc--- via rsyslog wrote:
> > Hi everybody, I am configuring clients to talk to the rsyslog server via
> > TCP and TLS.
> > Everything works if I create a certificate for each client and configure
> > these options:
> >
> > # certificate files
> > $DefaultNetstreamDriverCAFile /cert/cacert.pem
> > $DefaultNetstreamDriverCertFile /cert/a_client.crt
> > $DefaultNetstreamDriverKeyFile /cert/a_client.key
> >
> > # set up the action
> > $DefaultNetstreamDriver gtls
> > $ActionSendStreamDriverMode 1
> > $ActionSendStreamDriverAuthMode anon
> >
> > Searching on the internet I found a few sites that say that is enough to
> > use only CA certificate (e.g.
> > https://fatmin.com/2014/07/17/rhel6-configuring-encrypted-remote-logging-via-rsyslog/
> > ):
> >
> > # -- TLS Syslog Client:
> > # certificate files - just CA for a client
> > $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
> >
> > But If try to use only CA certificate, the client does not communicate
> > to the server.
> >
> > Am I doing something wrong? Or it is not possible to use only the CA
> > certificate anymore?
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.