In order to set the default PermitExpiredCerts handling (Denied),
we need to call PermitExpiredCerts with NULL parameter.
testbench: Add test to check expired handling in omfwd
debug: Fix dbgprintf calls with possible NULL character parameters
closes: https://github.com/rsyslog/rsyslog/issues/4425
The segfault gets happens when <bCreate> is 1 and when the <root>
container where to insert the <namebuf> key is not an object.
Here is simple reproducible test case:
// ensure we start fresh
// unnecessary if there was no previous set
unset $!;
set $! = "";
set $!event!created = 123;
Adding new rate limit option to omfwd for rate limiting
syslog messages sent to the remote server
ratelimit.interval:
Specifies the rate-limiting interval in seconds.
Default value is 0, which turns off rate limiting.
ratelimit.burst
Specifies the rate-limiting burst in number of messages.
fixes#4423https://github.com/rsyslog/rsyslog/issues/4423
If the tls handshake does not immediatelly finish, gnutls_handShake is called in
doRetry handler again. However the error handling was not
complete in the doRetry handler. A failed gnutls_handShake call
did not abort the connection and properly caused unexpected
problems like in issues:
https://github.com/rsyslog/rsyslog/issues/4270https://github.com/rsyslog/rsyslog/issues/4288
Adding error logs at the ssl handshake failure scenarios.
Adding the header "nsd_ossl:" tag to these logs to identify
the origin module from which logs are generated.
This implements a way to check if rsyslog variables (e.g. '$!path!var') is
currently set of not.
Sample: if exists($!somevar) then ...
closes https://github.com/rsyslog/rsyslog/issues/4385
This is a proposal for Github issue rsyslog/rsyslog#4430:
accessing a non-existing key creates an empty parent object
https://github.com/rsyslog/rsyslog/issues/4430
When looking up an object property, the tree of intermediate
object containers was ceated by get and del functions. The
patch is an attempt to fix that behavior by passing 0 to the
bCreate argument of jsonPathFindParent().
There is also one case where the return value of
jsonPathFindParent() was not checked, in the recurssive call
of jsonPathFindParent() itself. This was leading to infinite
loops if bCreate was 0.
Some TLS servers don't reply to graceful shutdown requests "for
optimization". This results in rsyslog's omfwd+gtls client to wait
forever for a reply of the TLS server which never comes, due to shutting
down the connection with gnutls_bye(GNUTLS_SHUT_RDWR).
On systemd systems, commands such as "systemctl restart rsyslog" just
hang for 1m30 and rsyslogd gets killed upon timeout by systemd.
This patch replaces call to gnutls_bye(GNUTLS_SHUT_RDWR) by calls to
gnutls_bye(GNUTLS_SHUT_WR) which is sufficient and doesn't wait for a
server reply.
A Red Hat customer reproduces the hang reliably when sending the logs to
his Kiwi Syslog server, which apparently doesn't send the TLS reply upon
connection termination request.
A data race can happen on variable iLenProgram as it is not guarded
by the message mutex at time of query. This can lead to it being
non -1 while the buffer has not yet properly set up.
Thanks to github user wsp1991 for alerting us and a related
patch proposal.
replaces https://github.com/rsyslog/rsyslog/pull/4300
Due to an invalid return code check, broken TCP sessions could not
necessarily be detected "right in time". This can result is the loss
of one message.
closes https://github.com/rsyslog/rsyslog/issues/4227
When using Disk Queue and a queue.filename that can not be created
by rsyslog, the service does not switch to another queue type as
supposed to and crashes at a later step.
closes: https://github.com/rsyslog/rsyslog/issues/4282
Previously, when the server accepts a new connection, it doesn't
properly set the dataTypeCheck field based on the listening socket.
That results in skipping ExtendedKeyUsage (EKU) check on the client
certificates.
When "discardTruncatedMsg" is enabled in imtcp, messages were incorrectly
skipped if the last character before the truncation was the LFdelimiter.
Add two tests for octet stuffing and framing.
closes: https://github.com/rsyslog/rsyslog/issues/4281
The check was done in strmPhysWrite before which caused syslog
messages to split in the middle if the syslog message batch exceeded
the default IO Buffer size.
closes: https://github.com/rsyslog/rsyslog/issues/4233
- if cstrLen(pThis->prevMsgSegment) > maxMsgSize then len calculation
become negative if cstrLen(thisLine) < cstrLen(pThis->prevMsgSegment)
This causes illegal access to memory location and thus causing segfault.
- assigning len = 0 if cstrLen(pThis->prevMsgSegment) > maxMsgSize so that
it access the correct memory location.
Signed-off-by: Ankit Jain <ankitja@vmware.com>
When signer thread is created in rsksiInitModule thread successful
initialization is verified before returning the function. This will
prevent adding records to not initialized module and in case of an
error signature files opened will contain only magic bytes.
Thread flags replaced with thread state.
When init module fails, module is disabled.
Disable use of "@SECLEVEL" in default cipher string and
avoid SSL_CONF_CTX_set_flags() API when LIBRESSL is used.
This means tlscommands will not work.
closes: https://github.com/rsyslog/rsyslog/issues/4210
Instead of hardcoded SHA-256 KSI_getHashAlgorithmByName("default")
is used to get default hash function.
Function rsksiSetHashFunction and SetCnfParam updated.
In async. mode all pending signature requests are closed immediately and
unsigned block marker is attached with message about sudden closure.
Similar approach is used for blocks that already contain some records.
Empty blocks are just closed without any metadata.
