Originally posted by: Tin_Cup

I have a problem to get rsyslog with gnutls to work.

see attached file for more information. (text in Topic results in a SPAM message and loss of topic)

What is going wrong?  

Originally posted by: AyappanP

I think more logging is needed here. 

There is a debug.gnutls setting in rsyslog conf file to enable more logging. 

https://www.rsyslog.com/doc/v8-stable/rainerscript/global.html

Originally posted by: Tin_Cup

I tried to add debug, but staement is not known, see attachment.

Attachment(s)

debug.gnutls.txt   2 KB 1 version

Originally posted by: Tin_Cup

any idea on how to debug this??

Originally posted by: Tin_Cup

nobody?

Originally posted by: AyappanP

Looks like it's a problem with rsyslog only (not with gnutls)

One can run this command to check whether gnutls itself is working or not. I verified this from my side. 

gnutls-cli <server-name>  --port=6514 --x509cafile  </path/to/ca.pem>             (the port "6514" is what is given in the rsyslog.conf file)

The AIX rsyslog version is 8.4.2 , which is 5 years old and so many releases happened after that. 

The rsyslog failure happens in nsd_gnutls,c , the interface code to gnutls. Lot of changes went into the code since that version.  

rsyslog team has to look into this issue. 

Originally posted by: Tin_Cup

I tried command and found gnutls-cli-debug command also, see attached file for output from both commands.

Attachment(s)

gnutls debug.txt   26 KB 1 version

Originally posted by: AyappanP

" Server does not support any of SSL 3.0, TLS 1.0, 1.1, 1.2 and 1.3 " 

This is crazy. Because AIX Toolbox gnutls only support these protocols --> TLS 1.0 , 1.1 , 1.2 , 1.3 

" gnutls-cli -l "  --> This wil llist all the supported protocols.

These are the recent protocols recommended to use. 

What the server is capable of ? Which protocols it supports ?

Originally posted by: Tin_Cup

server supports TLS 1.2 (or higher) only.

Originally posted by: AyappanP

From the handshake logs, i see this 

for TLS 1.2 (RFC5246) support... no

for TLS 1.3 (RFC8446) support... no

Can you paste the output of " gnutls-serv -l " in a file and attach it here ? Run this command on your server. 

Originally posted by: Tin_Cup

As i understand server uses "Syslog-ng", but does not make use of gnutls.

server manager sent below Openssl output of the setup of an connection from another server to the logcollector to prove that TLSv1.2 is supported:
---
Server certificate
subject=/C=NL/ST=Utrecht/L=Utrecht/O=Northwave/OU=SOC/CN=141.176.39.3/emailAddress=soc@northwave.nl
issuer=/C=NL/ST=Utrecht/L=Utrecht/O=NW/OU=SOC/CN=Northwave/emailAddress=soc@northwave.nl
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2679 bytes and written 269 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

When he tries to connect with TLSv1.1, it doesn't work:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000

Server does explicitly NOT accept versions lower than TLSv1.2. This means that all other log sources use TLSv1.2+ to connect to server.
Server does allow this very well.

Originally posted by: AyappanP

Okay.

What OS the server has ? What is the version of syslog-ng ? 

Originally posted by: Tin_Cup

​Customer decided to not proceed with this approach, because of the dependency of this opensource part for the solution.
Thanks for your help.