Here there,

We're cannot get using TCP with TLS to connect to our rsyslog server to work (syslog_tls parameter):

  • Using UDP works fine.
  • Log output on the M300:
    loc3 .Debug 2022-04-23T19:24:49Z 235-[ SYSLOG Trying to Open TLS Client conn -> Destination: 192.168.1.15:6514.] 
    loc0 .Warn  2022-04-23T19:24:49Z 235-[ WARNING: SYSLOG_TASK. No active TLS connection available when logging was requested] 
    loc3 .Crit  2022-04-23T19:24:51Z 235-[ CertMgr: CertificateInvalid: HostnameMismatch] 
    loc3 .Debug 2022-04-23T19:24:51Z 235-[ CertMgr: Certificate Serial Number = 01] 
    loc3 .Debug 2022-04-23T19:24:51Z 235-[ CertMgr: Certificate host name = Wenke & Andree's CA"��r] 
    loc3 .Debug 2022-04-23T19:24:51Z 235-[ CertMgr: Certificate check: FALSE] 
  • Connecting with openssl s_client -connect rysum.ostfriesland:6514 is absolutely fine.
  • The rsyslog server's log shows:
    Apr 23 19:11:54 rysum rsyslogd[157630]: SSL_ERROR_SSL Error in 'osslRecordRecv': 'error:00000001:lib(0):func(0):reason(1)(1)' with ret=-1  [v8.2102.0]
    Apr 23 19:11:54 rysum rsyslogd[157630]: OpenSSL Error Stack: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate [v8.2102.0]
    Apr 23 19:11:54 rysum rsyslogd[157630]: netstream session 0x7f1e40007270 from 192.168.1.71 will be closed due to error [v8.2102.0]

  • Pointing the M300 to an SSL test instance openssl s_server -state -msg -debug -status_verbose -security_debug_verbose -HTTP -cert /etc/ssl/certs/rysum.ostfriesland_cert.pem -key /etc/ssl/private/rysum.ostfriesland_key.pem gives following (consistent with the rsynclog log entries):
    SSL3 alert read:fatal:bad certificate
    SSL_accept:error in error
    139688820229440:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

Looking at the log entry on the M300, it appears that the certificate content parser may have a problem. The Certificate host name is rysum.ostfriesland whereas what is shown is the name o the CA plus some non-printable characters. This looks like a firmware bug. (We're on the latest version IPDECT/05.30/B0002/25-May-2021 14:26.)

Furthermore, there does not appear to be any documentation on how to set this up and specifically on how to set up a client certificate for the M300 in accordance with Supported Authentication Modes of rsyslog.

If you could kindly advise, that would be most appreciated!

Thank you kindly and best regards,

Andree

profilePicture

Andree Leidenfrost

$userLabel.Name

Joined: 18.03.2022