TLS improvement

[ghost]

This is a meta issue tracker used for referencing information and all existing issues related to TLS.

Articles

• https://www.linkedin.com/pulse/improving-tls-rsyslog-pascal-withopf

Issues

• TLS configuration inconsistencies TLS configuration inconsistencies and complexity for TCP versus RELP transports  #435
• Verify Hostname when in Auth Name Mode Add Option to Verify Hostname in Syslog Message Against the TLS Client Certficate's CN when in Auth Name Mode #436
• TLS error when sending to Loggly TLS error/corruption #1043
• imtcp PermittedPeer wildcard regression rsyslog 8.18 imtcp PermittedPeer wildcard regression #1063
• CA file needed when both sender and receiver skip authentication Need CA file when both sender and receiver skip authentication  #1068
• rsyslog hangs when TLS close_notify goes unanswered rsyslog hangs when TLS close_notify goes unanswered #1231
• Privileges are dropped before reading certs [Regression] Privileges are dropped before reading certs #1352
• Support libtls or libressl / openssl Feature Request: Support libtls or libressl / openssl #1390
• rsyslog doesn't respond to TLS close_notify rsyslog doesn't respond to TLS close_notify #1503
• sending messages via omfwd + TLS how to config rsyslog send log to log server over omfwd module use tcp&TLS #1688
• TLS enabled TCP input and output TLS enabled TCP input and output #1702

Done

• tcpflood test tool and gnutls tcpflood test tool and gnutls #1776
• Resource leak when CA file not set Resource leak when $DefaultNetStreamDriverCAFile missing #1265
• Enhanced TLS settings enhanced tls settings #153

[rgerhards]

@PascalWithopf can you please update what is still open?

[skupkosk]

Any due date for TLS rewrite?
You might have a look on syslog-ng sources.

[rgerhards]

TLS rewrite is available with at least 8.37.0

[rgerhards]

@alorbach is this solved?

[alorbach]

All issues are closed / Fixed except for these ones:

Issues related to GNUTLS not reproduceable or need additional help:
rsyslog hangs when TLS close_notify goes unanswered #1231
rsyslog doesn't respond to TLS close_notify #1503

Enhancements:
Verify Hostname when in Auth Name Mode #436
CA file needed when both sender and receiver skip authentication #1068

[JPvRiel]

Just to add, imrelp isn't allowing TLS optional client certificate 'anon' mode.

This was raised with #435, but that issue was a large list with many other things improved (thanks!). So #3838 added to revisit it.

[JPvRiel]

I'd like to propose that more robust client authentication options could be provided:

1. If the CN or a SAN of client cert matches the hostname in the message, have a property, e.g. hostname_verified set as true (effectively allows closing Add Option to Verify Hostname in Syslog Message Against the TLS Client Certficate's CN when in Auth Name Mode #436).
2. Populate client properties which client certs are provided such as host_authentication_fingerprint and host_authentication_subject from properties in the client cert.

For the openssl implementation, this should be possible via calling the SSL_get_peer_certificate() if/when a client cert was received and verified by allowed CAs.

This has been suggested in several related open issues:

• gTLS x509 remote cert fields as properties #1597: gTLS x509 remote cert fields as properties
• Get certificate common name in template #3567: Get certificate common name in template
• OpenSSL ossl streamDriver authMode anon does not support optional client certificate requests #3837: OpenSSL ossl streamDriver authMode anon does not support optional client certificate requests
• Add Option to Verify Hostname in Syslog Message Against the TLS Client Certficate's CN when in Auth Name Mode #436: Add Option to Verify Hostname in Syslog Message Against the TLS Client Certificate CN when in Auth Name Mode