Bug 1679512 - rsyslog's priority string does not work as expected
Summary: rsyslog's priority string does not work as expected
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rsyslog
Version: 8.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Jiří Vymazal
QA Contact: BaseOS QE Security Team
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1615994
TreeView+ depends on / blocked
 
Reported: 2019-02-21 10:01 UTC by Dalibor Pospíšil
Modified: 2019-08-05 07:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Certain `rsyslog` priority strings do not work correctly Support for the *GnuTLS* priority string for `imtcp` that allows fine-grained control over encryption is not complete. Consequently, the following priority strings do not work properly in `rsyslog`: ---- NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL ---- To work around this problem, use only correctly working priority strings: ---- NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL ---- As a result, current configurations must be limited to the strings that work correctly.
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Dalibor Pospíšil 2019-02-21 10:01:51 UTC
Description of problem:
Not working in rsyslog (working in gnutls-serv):

NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL

Working in both:

NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL

BOTH PRIORITY STRING SHOULD WORK IN RSYSLOG!

Connection to rsyslog:

openssl s_client -debug -no_tls1_3 -CAfile ca/cert.pem -connect
localhost:6514  -key client/key.pem -cert client/cert.pem

Connection to gnutls-serv:

openssl s_client -debug -no_tls1_3 -CAfile ca/cert.pem -connect
localhost:4433  -key client/key.pem -cert client/cert.pem

Gnutls server:

gnutls-serv --x509certfile server/cert.pem
--x509keyfile server/key.pem                        -p 4433
            --http                        --debug 2
    --priority NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
2>server.err >server.out &'

rsyslog server:

rsyslog -d -n

rsyslog conf:

global(defaultNetstreamDriver="gtls"
        defaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.pem"
        defaultNetstreamDriverCertFile="/etc/rsyslog.d/server-cert.pem"
        defaultNetstreamDriverKeyFile="/etc/rsyslog.d/server-key.pem")

module(
  load="imtcp"
  StreamDriver.AuthMode="anon"
  StreamDriver.Mode="1"
  gnutlsPriorityString="<priority-string>"
)
input(type="imtcp" Port="6514")
*.*   action(type="omfile" file="/var/log/priostring.log")

Version-Release number of selected component (if applicable):
rsyslog-8.37.0-9.el8.x86_64

How reproducible:
100%

Additional info:


Note You need to log in before you can comment on or make changes to this bug.