Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls.authmode is ignored without own certificate and private key #263

Open
MouettE-SC opened this issue Mar 24, 2024 · 0 comments
Open

tls.authmode is ignored without own certificate and private key #263

MouettE-SC opened this issue Mar 24, 2024 · 0 comments

Comments

@MouettE-SC
Copy link

MouettE-SC commented Mar 24, 2024
edited
Loading

I'm trying to setup rsyslog with relp over tls using openssl library. The server is configured with its own certificate signed by a CA with the following snippet :

module(load="imrelp" tls.tlslib="openssl")
input(type="imrelp" address="10.0.5.15" port="10514" ruleset="relp-noauth" tls="on"
      tls.cacert="/data/certs/pki/ca.crt"
      tls.mycert="/data/certs/pki/syslog.crt"
      tls.myprivkey="/data/certs/pki/syslog.key")

The clients do not have their own certificates but they are supposed to validate the one presented by the server (name + CA) using this configuration snippet :

module(load="omrelp" tls.tlslib="openssl")
action(type="omrelp" target="10.0.5.15" port="10514"
       tls="on" tls.authmode="name" tls.permittedpeer="syslog"
       tls.cacert="/data/certs/pki/ca.crt"
      )

My issue in this particular case is that the authmode on the client part is completely ignored. (changing the permittedpeer param has no effect). When ran in debug mode we can see the following message on the client :

relpTcpChkPeerAuth: anon mode - success

After some digging into the code of tcp.c , I found that authmode gets overwritten with "none" in both client and server modes when no own certificate is configured ; first for the server:

librelp/src/tcp.c

Lines 1776 to 1779 in 27d9a8c

if(!isAnonAuth(pThis->pSrv->pTcp)) {
CHKRet(relpTcpSslInitCerts(pThis, pThis->pSrv->ownCertFile, pThis->pSrv->privKey));
} else
pThis->authmode = eRelpAuthMode_None;

same in client mode :

librelp/src/tcp.c

Lines 1890 to 1894 in 27d9a8c

if(!isAnonAuth(pThis)) {
pThis->pEngine->dbgprint((char*)"relpTcpConnectTLSInit: Init Client Certs \n");
CHKRet(relpTcpSslInitCerts(pThis, pThis->ownCertFile, pThis->privKeyFile));
} else
pThis->authmode = eRelpAuthMode_None;

My understanding is that authmode defines how I will authenticate the remote peer using information from the certificate presented by it. The fact that I don't myself have a certificate is not relevant, I only need a CA certificate and/or a permitted peer list to do this authentication (depending on the authmode value).

I can create a PR removing the else cause in both snippets above if you agree otherwise I would be curious to know the rationale of this choice. Note that when using omfwd with tls in rsyslog, remote peer certificate authentication is done even if the local peer does not have a certificate, using this snippet :

global(
    DefaultNetstreamDriverCAFile="/data/certs/pki/ca.crt"
)
action(type="omfwd" target="10.0.5.15" port="6514" protocol="tcp"
       streamdriver="ossl" streamdrivermode="1"
       streamdriverauthmode="x509/name"
       streamdriverpermittedpeers="syslog")
@MouettE-SC MouettE-SC changed the title tls.authmode is ignored without without own certificate and private key tls.authmode is ignored without own certificate and private key Mar 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MouettE-SC