SSL "session id context uninitialized" sending logs from Windows with client certs

[Jeremy2021]

syslog-ng

Version of syslog-ng

Latest version from the unofficial czanik-syslog-ng312-epel-7.repo

syslog-ng 3 (3.12.1)
Installer-Version: 3.12.1
Revision:
Compile-Date: Nov  3 2017 15:15:50
Module-Directory: //usr/lib64/syslog-ng
Module-Path: //usr/lib64/syslog-ng
Available-Modules: add-contextual-data,afamqp,affile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,sdjournal,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,tfgetent,xml
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

Platform

CentOS 7

Debug bundle

[syslog.debun.TestCentOS7.2018-03-22_13-53.35126.zip](https://github.com/balabit/syslog-ng/files/1839115/syslog.debun.TestCentOS7.2018-03-22_13-53.35126.zip)

Issue

When using Client Certificates, the first connection to syslog-ng is successful, but then the second connection gets the failure error below. This happens every other connection indefinitely. We have observed this sending logs from a Windows server, only when using client certificates.

More info on this missing OpenSSL setting that I believe needs to be added to syslog-ng:
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_session_cache_mode.html
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_session_id_context.html

Note: PostgreSQL had this same exact issue with Windows clients using client certificates too in this rather long thread https://www.postgresql.org/message-id/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA%40mail.gmail.com ... They updated PostgreSQL to set the session id context and the error was resolved.

Failure

In Syslog-ng's logs:
SSL error while reading stream; tls_error='SSL routines:ssl_get_prev_session:session id context uninitialized'

The Windows client sees this as:
Authentication failed because the remote party has closed the transport stream.

Steps to reproduce

1. configure syslog-ng to use Client Certificates
2. start syslog-ng
3. send logs in from a trusted Windows server using client certificates
4. Observe the failure error every other connection

Configuration

source tls_clientcert_source {
    network(ip(0.0.0.0) port(7514) max-connections(100) log_iw_size(100000)
        transport("tls")
        tls( key-file("/etc/syslog-ng/key.d/syslogng.key.pem")
             cert-file("/etc/syslog-ng/cert.d/syslogng.cert.pem")
             peer-verify(required-trusted)
             ca-dir("/etc/syslog-ng/ca.d")
             trusted-keys("SHA1:xyz")
        )
    );
};

[bazsi]

can you pls check if this experimental patch fixes it?

https://github.com/balabit/syslog-ng/tree/ssl-session-id-context

That still needs some refinement, e.g. to make sure it compiles on older OpenSSL versions.

[gaborznagy]

@bazsi as I have checked the CHANGES file SSL_CTX_set_session_id_context was introduced in 0.9.3 and the minimum config for openssl in configure.ac is 0.9.8.

Or are there any other adjustments needed too?

[Jeremy2021]

Thanks for the quick turnaround! I tried to compile from git on my CentOS box but too many issues with dependencies, will setup an Ubuntu server to test ASAP, hopefully today or tomorrow. Cheers

[bazsi]

You can always try our docker images for centos7. Just do a $ dbld/rules image-centos7 $ dbld/rules rpm From the syslog-ng source tree. You can also run dbld/rules shell to get inside a container that has all the required dependencies to compile syslog-ng. Maybe this helps, Bazsi On Mar 26, 2018 15:16, "Jeremy2021" <notifications@github.com> wrote: Thanks for the quick turnaround! I tried to compile from git on my CentOS box but too many issues with dependencies, will setup an Ubuntu server to test ASAP, hopefully today or tomorrow. Cheers — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1936 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AArldqfFG1EAwf8q5JuG0t0XuWKOWn0Pks5tiOoVgaJpZM4S3tQj> .