TLS Client auth

Hi,

I’ve try to secure an input with TLS, but still get an error:

2024-12-19T10:15:02.137+01:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/SYSLOG IN TCP/675c2639fd79c51de84f7153] (channel [id: 0xc7db35f0, L:/192.168.1.10:5140 ! R:/192.168.1.12:51066]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem)

What have I done:

  1. We’ve an own PKI working
  2. Generate an certificate and key for server and client signed with the same CA
  3. Setup HTTPS with an apache proxy for access to the graylog server → works
  4. Setup an Input to use TLS:
* allow_override_date: true
* bind_address: 0.0.0.0
* charset_name: UTF-8
* expand_structured_data: false
* force_rdns: false
* max_message_size: 2097152
* number_worker_threads: 4
* override_source: *<empty>*
* port: 5140
* recv_buffer_size: 1048576
* store_full_message: false
* tcp_keepalive: false
* timezone: NotSet
* tls_cert_file: /etc/ssl/certs/meddv-log001.mdv.local.crt
* tls_client_auth: disabled
* tls_client_auth_cert_file: /etc/ssl/certs/meddv_internal_root_certification_authory.pem
* tls_enable: true
* tls_key_file: /etc/ssl/private/meddv-log001.mdv.local.key
* tls_key_password: ********
* use_null_delimiter: false

It works so far with following rsyslog settings:

root@meddv-cmdb:~# cat /etc/rsyslog.d/tls.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/meddv_internal_root_certification_authority.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/meddv-cmdb.mdv.local_fullchain.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/private/meddv-cmdb.mdv.local.pem
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#$ActionSendStreamDriverAuthMode anon
root@meddv-cmdb:~# cat /etc/rsyslog.d/meddv-log001.conf
#*.* @@meddv-log001.mdv.local:5140;RSYSLOG_SyslogProtocol23Format
*.* action(
  type="omfwd"
  target="meddv-log001.mdv.local"
  port="5140"
  protocol="tcp"
  KeepAlive="on"
  KeepAlive.Interval="30"
  StreamDriver="gtls"
  StreamDriverMode="1"
  StreamDriverAuthMode="x509/name"
  ResendLastMSGOnReconnect="on"
  queue.filename="fwdRule1"  # unique name prefix for spool files
  queue.type="LinkedList"
  queue.maxDiskSpace="256m"
  queue.saveOnShutdown="on"
  action.resumeRetryCount="-1"
  action.resumeInterval="30"
)
  1. I import the CA to an new keystore:
/usr/share/graylog-server/jvm/bin/keytool -importcert -keystore /etc/graylog/server/keystore.jks -storepass changeit -alias cachain -file /etc/ssl/certs/meddv_internal_root_certification_authory.pem
  1. I added following to the /etc/default/graylog-server
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/server/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit"

Without the Password I got an other error.
8. I enable the client auth

* tls_client_auth: required

Then, after an rsyslog restart I got the given error in the graylog logfile,…

I think I’m near to an solution but doesn’t see it,…

Many thanks for help!

Gregor

I think I’ve got it.
The cert wasn’t generated for client auth.

With a new generated one it seem to work now.
It is the Netscape Cert Type neccesary I think.

I will retest my doing.

I tested it again and I need both, the Netscape Cert Type ‘SSL Client’ and the X509v3 Extended Key Usage ‘TLS Web Client Authentication’

How could I marked my problem as solved?