-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL "session id context uninitialized" sending logs from Windows with client certs #1936
Comments
When using OpenSSL 1.1, and clients supporting SSL session resumption, we need to set the SSL session ID context, otherwise Windows clients with client certificate will fail to connect for the 2nd time. Very helpful PostgreSQL thread: https://www.postgresql.org/message-id/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA%40mail.gmail.com Original bugreport: #1936 Should fix #1936 Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
can you pls check if this experimental patch fixes it? https://github.com/balabit/syslog-ng/tree/ssl-session-id-context That still needs some refinement, e.g. to make sure it compiles on older OpenSSL versions. |
@bazsi as I have checked the CHANGES file Or are there any other adjustments needed too? |
Thanks for the quick turnaround! I tried to compile from git on my CentOS box but too many issues with dependencies, will setup an Ubuntu server to test ASAP, hopefully today or tomorrow. Cheers |
When using OpenSSL 1.1, and clients supporting SSL session resumption, we need to set the SSL session ID context, otherwise Windows clients with client certificate will fail to connect for the 2nd time. Very helpful PostgreSQL thread: https://www.postgresql.org/message-id/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA%40mail.gmail.com Original bugreport: #1936 Should fix #1936 Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
You can always try our docker images for centos7.
Just do a
$ dbld/rules image-centos7
$ dbld/rules rpm
From the syslog-ng source tree. You can also run dbld/rules shell to get
inside a container that has all the required dependencies to compile
syslog-ng.
Maybe this helps,
Bazsi
On Mar 26, 2018 15:16, "Jeremy2021" <notifications@github.com> wrote:
Thanks for the quick turnaround! I tried to compile from git on my CentOS
box but too many issues with dependencies, will setup an Ubuntu server to
test ASAP, hopefully today or tomorrow. Cheers
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1936 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AArldqfFG1EAwf8q5JuG0t0XuWKOWn0Pks5tiOoVgaJpZM4S3tQj>
.
|
syslog-ng
Version of syslog-ng
Latest version from the unofficial czanik-syslog-ng312-epel-7.repo
Platform
CentOS 7
Debug bundle
Issue
When using Client Certificates, the first connection to syslog-ng is successful, but then the second connection gets the failure error below. This happens every other connection indefinitely. We have observed this sending logs from a Windows server, only when using client certificates.
More info on this missing OpenSSL setting that I believe needs to be added to syslog-ng:
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_session_cache_mode.html
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_session_id_context.html
Note: PostgreSQL had this same exact issue with Windows clients using client certificates too in this rather long thread https://www.postgresql.org/message-id/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA%40mail.gmail.com ... They updated PostgreSQL to set the session id context and the error was resolved.
Failure
In Syslog-ng's logs:
SSL error while reading stream; tls_error='SSL routines:ssl_get_prev_session:session id context uninitialized'
The Windows client sees this as:
Authentication failed because the remote party has closed the transport stream.
Steps to reproduce
Configuration
The text was updated successfully, but these errors were encountered: