This commit adds to new flags which can be set to allow
1) checking of extendedKeyUsage certificate field
2) stricter checking of certificate name/adresses
- Corrected ANON Cipher handling in ossl / gtls driver.
- removed error when no CA is configured for ANON Mode in gtls dirver.
- Set GNUTLS Debug level to 2, so we see more informations about gnutls errors
in rsyslog debug mode.
- fixed tcpdump parameters not using TLS in manytcp-too-few-tls-vg.sh
- fixed minor memory leak in shutdown destructor of ossl tls driver.
The new Option can have one of the following values:
on = Expired certificates are allowed
off = Expired certificates are not allowed
warn = Expired certificates are allowed but warning will be logged (Default)
Includes necessary tests to validate new code.
closes https://github.com/rsyslog/rsyslog/issues/3364
gtls and ossl driver used a default buffersize of 8 x 1024 bytes to store
received TLS packets. When tls read returned more than buffersize, the additional
buffer was not processed until new data arrived on the socket again.
TLS RFCs require up to 16KB buffer for a single TLS record.
closes https://github.com/rsyslog/rsyslog/issues/3325
Commit 7589f42e45888b83f5c2a0d788896d41e6a6a598 introduced support
for loading certificate chains. Unfortunatley the max number of permitted
certificates was miscalculated and so a certificate chain with more than
10 certificates could lead to a buffer overrun. This patch corrects this.
Note that the commit was merged just yesterday and there was no release
with the affected code.
Also, this commit adds GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED to
ensure the certificate export will fail with an error message if the
certificate list contains too many certificates. Thx to Arne Nordmark
for suggesting that option.
The variable priorityString was not used when rsyslog acted as the
server and the defaults were always set. Now the priorityString
is used when specified.
fixes https://github.com/rsyslog/rsyslog/issues/1722
Add SNI hostname if and only if host is not a bare IP address
Rename sndrcv_tls_anon -> sndrcv_tls_anon_hostname, and include a hostname in this test
Add bare IPv4 and IPv6 TLS tests
Change port in some tests to make wireshark traces easier to interpret during a full test run
Add support for bind-to-device option to omfwd and imudp modules.
Configured using device="name". Only new syntax format is supported.
e.g.,
input(type="imudp" port=["10514"] device="eth0" name="udp")
action(type="omfwd" Target="192.168.1.23" Port="10514" Device="eth0")
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
As it seems, different C compilers have different rules/interpretations
on inline functions. The current code base did not properly obey all C99
rules. We fix this by converting some functions to macros and others to
include the necessary C99 plumbing. We also remove some inline attributes
for functions where this seems to be to agressive (aka "function to big").
This fixes build problems in some environments and is a general code
cleanup measure.
especially in the common case that a certificat file is not present.
The GnuTLS provided error messages is pretty misleading, so we now
check this ourselves.
Note that further improvements to TLS error reporting are desirable,
this fixes just one annoying case that frequently causes confusion.
the function can no longer fail and it is not expected that this
will ever happen again in the future. So we remove the return value,
giving a small speedup to the code.
When the connection was broken and gtlsRecordRecv returned a
failure, pszRcvBuf was not freed. The code to free pszRcvBuf has
been moved to finalize_it if iRet is not RS_RET_OK.
The gnutls_certificate_type_set_priority function is deprecated
and not available in recent GnuTLS versions. However, there is no
doc how to properly replace it with gnutls_priority_set_direct.
A lot of folks have simply removed it, when they also called
gnutls_set_default_priority. This is what we now also do. If
this causes problems or someone has an idea of how to replace
the deprecated function in a better way, please let us know!
In any case, we use it as long as it is available and let
not insult us by the deprecation warnings.
There is a regression in this feature-add commit and I don't have the
time to search for it. Refering it back to contributor.
see also https://github.com/rsyslog/rsyslog/pull/145
