SSL/TLS for Input Problem

Graylog Central (peer support)
1

Hi there,

I use the simple one Node Setup for testing.
Here are some specs of my test environment:
OS: CentOS Linux release 8.1.1911 (Core)
Java: openjdk version “1.8.0_242”
Graylog Server: 3.2.4
I setup a Apache as reverse proxy for SSL for Graylog. But now I try to secure the Input too.

SSL Settings for the Input
Cert is pem and key in encrypted pks8
TLS cert file: /etc/graylog/server/graylog_crt.pem
TLS private key file: /etc/graylog/server/graylog_key.pk8
TLS client authentication: optional
TLS key password: (My Password for the graylog_key.pk8)
TLS Client Auth Trusted Certs: /etc/graylog/server/trusted_clients

As far I “Enable TLS” for the Input I get the following Error.

2020-04-28T12:28:00.796+02:00 INFO  [InputStateListener] Input [Beats/5e849c3447f1ee2b402bb343] is now STOPPING
2020-04-28T12:28:00.807+02:00 INFO  [InputStateListener] Input [Beats/5e849c3447f1ee2b402bb343] is now STOPPED
2020-04-28T12:28:00.809+02:00 INFO  [InputStateListener] Input [Beats/5e849c3447f1ee2b402bb343] is now TERMINATED
2020-04-28T12:28:00.825+02:00 INFO  [AbstractTcpTransport] Enabled TLS for input [Beats/5e849c3447f1ee2b402bb343]. key-file="/etc/graylog/server/graylog_key.pk8" cert-file="/etc/graylog/server/graylog_crt.pem"
2020-04-28T12:28:00.825+02:00 INFO  [InputStateListener] Input [Beats/5e849c3447f1ee2b402bb343] is now STARTING
2020-04-28T12:28:00.827+02:00 WARN  [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input Beats2Input{title=Beats, type=org.graylog.plugins.beats.Beats2Input, nodeId=null} (channel [id: 0x2fc87a36, L:/0:0:0:0:0:0:0:0%0:5044]) should be 1048576 but is 425984.
2020-04-28T12:28:00.827+02:00 INFO  [InputStateListener] Input [Beats/5e849c3447f1ee2b402bb343] is now RUNNING
2020-04-28T12:28:11.457+02:00 WARN  [ChannelInitializer] Failed to initialize a channel. Closing: [id: 0xf689d968, L:/xxx.xxx.xxx.xxx:5044 - R:/xxx.xxx.xxx.xxx:49726]
java.lang.IllegalArgumentException: File does not contain valid private key: /etc/graylog/server/graylog_key.pk8
        at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:350) ~[graylog.jar:?]
        at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:107) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.createSslEngine(AbstractTcpTransport.java:329) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:305) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:301) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.NettyTransport$1.initChannel(NettyTransport.java:105) ~[graylog.jar:?]
        at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [graylog.jar:?]
        at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [graylog.jar:?]
        at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:956) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [graylog.jar:?]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:502) [graylog.jar:?]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:417) [graylog.jar:?]
        at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:474) [graylog.jar:?]
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [graylog.jar:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [graylog.jar:?]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:387) [graylog.jar:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [graylog.jar:?]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:257) ~[?:1.8.0_242]
        at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
        at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
        at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[?:1.8.0_242]
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
        at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
        at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:1072) ~[graylog.jar:?]
        at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1133) ~[graylog.jar:?]
        at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1113) ~[graylog.jar:?]
        at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:348) ~[graylog.jar:?]
        ... 26 more

Content of the Keyfile is like this
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIl9EEAaoCmBcCAggA

mcu1sU5BlnNsAkXjHR6q29WWtctlXR2Xol8hX+cYjhQ6
-----END ENCRYPTED PRIVATE KEY-----

Any Idea what I miss there?

2

Maybe it depends to this Bug: https://bugs.openjdk.java.net/browse/JDK-8076999 ?

3
  1. Try to restart graylog service after setup TLS for Input:
    sudo systemctl restart graylog-server.service

I saw this error after I setup TLS for input. It started worked after graylog server restart.

  1. Another problem can be certificate key file which uses password. Try to convert so it doesn’t use key password:
    openssl rsa -in file1.key -out file2.key

  2. Check if the TLS connection is working using openssl:
    openssl s_client -showcerts -connect 172.28.128.15:1516

4

First, thank you for your answers.

No effect.

I will try this, but why do you think this could be the reason?
Edit: with no PW it work… any Idea what goes wrong here? This is a security impact with no PW on the Key file.

This does not work for the input, but this makes sense to me, as long I have this problem.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.