Skip to content

tls.authmode is ignored without own certificate and private key #263

New issue
New issue
Open
Open
tls.authmode is ignored without own certificate and private key#263
@MouettE-SC

Description

@MouettE-SC
MouettE-SC
opened on Mar 24, 2024

I'm trying to setup rsyslog with relp over tls using openssl library. The server is configured with its own certificate signed by a CA with the following snippet :

module(load="imrelp" tls.tlslib="openssl")
input(type="imrelp" address="10.0.5.15" port="10514" ruleset="relp-noauth" tls="on"
      tls.cacert="/data/certs/pki/ca.crt"
      tls.mycert="/data/certs/pki/syslog.crt"
      tls.myprivkey="/data/certs/pki/syslog.key")

The clients do not have their own certificates but they are supposed to validate the one presented by the server (name + CA) using this configuration snippet :

module(load="omrelp" tls.tlslib="openssl")
action(type="omrelp" target="10.0.5.15" port="10514"
       tls="on" tls.authmode="name" tls.permittedpeer="syslog"
       tls.cacert="/data/certs/pki/ca.crt"
      )

My issue in this particular case is that the authmode on the client part is completely ignored. (changing the permittedpeer param has no effect). When ran in debug mode we can see the following message on the client :

relpTcpChkPeerAuth: anon mode - success

After some digging into the code of tcp.c , I found that authmode gets overwritten with "none" in both client and server modes when no own certificate is configured ; first for the server:

librelp/src/tcp.c

Lines 1776 to 1779 in 27d9a8c

if(!isAnonAuth(pThis->pSrv->pTcp)) {
CHKRet(relpTcpSslInitCerts(pThis, pThis->pSrv->ownCertFile, pThis->pSrv->privKey));
} else
pThis->authmode = eRelpAuthMode_None;

same in client mode :

librelp/src/tcp.c

Lines 1890 to 1894 in 27d9a8c

if(!isAnonAuth(pThis)) {
pThis->pEngine->dbgprint((char*)"relpTcpConnectTLSInit: Init Client Certs \n");
CHKRet(relpTcpSslInitCerts(pThis, pThis->ownCertFile, pThis->privKeyFile));
} else
pThis->authmode = eRelpAuthMode_None;

My understanding is that authmode defines how I will authenticate the remote peer using information from the certificate presented by it. The fact that I don't myself have a certificate is not relevant, I only need a CA certificate and/or a permitted peer list to do this authentication (depending on the authmode value).

I can create a PR removing the else cause in both snippets above if you agree otherwise I would be curious to know the rationale of this choice. Note that when using omfwd with tls in rsyslog, remote peer certificate authentication is done even if the local peer does not have a certificate, using this snippet :

global(
    DefaultNetstreamDriverCAFile="/data/certs/pki/ca.crt"
)
action(type="omfwd" target="10.0.5.15" port="6514" protocol="tcp"
       streamdriver="ossl" streamdrivermode="1"
       streamdriverauthmode="x509/name"
       streamdriverpermittedpeers="syslog")

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions