I'm trying to setup rsyslog with relp over tls using openssl library. The server is configured with its own certificate signed by a CA with the following snippet :
The clients do not have their own certificates but they are supposed to validate the one presented by the server (name + CA) using this configuration snippet :
My issue in this particular case is that the authmode on the client part is completely ignored. (changing the permittedpeer param has no effect). When ran in debug mode we can see the following message on the client :
relpTcpChkPeerAuth: anon mode - success
After some digging into the code of tcp.c , I found that authmode gets overwritten with "none" in both client and server modes when no own certificate is configured ; first for the server:
My understanding is that authmode defines how I will authenticate the remote peer using information from the certificate presented by it. The fact that I don't myself have a certificate is not relevant, I only need a CA certificate and/or a permitted peer list to do this authentication (depending on the authmode value).
I can create a PR removing the else cause in both snippets above if you agree otherwise I would be curious to know the rationale of this choice. Note that when using omfwd with tls in rsyslog, remote peer certificate authentication is done even if the local peer does not have a certificate, using this snippet :
I'm trying to setup rsyslog with relp over tls using openssl library. The server is configured with its own certificate signed by a CA with the following snippet :
The clients do not have their own certificates but they are supposed to validate the one presented by the server (name + CA) using this configuration snippet :
My issue in this particular case is that the authmode on the client part is completely ignored. (changing the permittedpeer param has no effect). When ran in debug mode we can see the following message on the client :
relpTcpChkPeerAuth: anon mode - success
After some digging into the code of tcp.c , I found that authmode gets overwritten with "none" in both client and server modes when no own certificate is configured ; first for the server:
https://github.com/rsyslog/librelp/blob/27d9a8cab814780d637d9857b8cd5aff39155a20/src/tcp.c#L1776-L1779
same in client mode :
https://github.com/rsyslog/librelp/blob/27d9a8cab814780d637d9857b8cd5aff39155a20/src/tcp.c#L1890-L1894
My understanding is that authmode defines how I will authenticate the remote peer using information from the certificate presented by it. The fact that I don't myself have a certificate is not relevant, I only need a CA certificate and/or a permitted peer list to do this authentication (depending on the authmode value).
I can create a PR removing the else cause in both snippets above if you agree otherwise I would be curious to know the rationale of this choice. Note that when using omfwd with tls in rsyslog, remote peer certificate authentication is done even if the local peer does not have a certificate, using this snippet :