IPv6 TLS source question
I'm attempting to setup a TCP IPv6 source declaration that uses TLS but syslog-ng is not happy with the configuration file. The following is what I use for IPv4 and it works fine: source s_tls { syslog( ip(0.0.0.0) port(6514) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); }; However the following is not valid: source s_tls6 { syslog( ip("::") port(6515) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); }; I've tried the ip with and without quotes with no luck. What am I doing wrong? Thanks -Jeff
Syslog-ng version? IIRC there were related fixes in 3.4. On Jun 26, 2013 6:12 PM, "Jeff Lange" <jlange6648@gmail.com> wrote:
I'm attempting to setup a TCP IPv6 source declaration that uses TLS but syslog-ng is not happy with the configuration file.
The following is what I use for IPv4 and it works fine:
source s_tls { syslog( ip(0.0.0.0) port(6514) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
However the following is not valid:
source s_tls6 { syslog( ip("::") port(6515) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
I've tried the ip with and without quotes with no luck. What am I doing wrong?
Thanks -Jeff
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I've observed this in both 3.3.x and 3.4.2 (ubuntu 12.04 x86_64) -Jeff On Wed, Jun 26, 2013 at 2:43 PM, Balazs Scheidler <bazsi77@gmail.com> wrote:
Syslog-ng version?
IIRC there were related fixes in 3.4. On Jun 26, 2013 6:12 PM, "Jeff Lange" <jlange6648@gmail.com> wrote:
I'm attempting to setup a TCP IPv6 source declaration that uses TLS but syslog-ng is not happy with the configuration file.
The following is what I use for IPv4 and it works fine:
source s_tls { syslog( ip(0.0.0.0) port(6514) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
However the following is not valid:
source s_tls6 { syslog( ip("::") port(6515) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
I've tried the ip with and without quotes with no luck. What am I doing wrong?
Thanks -Jeff
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Jeff Lange <jlange6648@gmail.com> writes:
I'm attempting to setup a TCP IPv6 source declaration that uses TLS but syslog-ng is not happy with the configuration file.
Long story short: syslog-ng 3.3 and 3.4 does not support syslog() over IPv6, 3.5 does, see below.
The following is what I use for IPv4 and it works fine:
source s_tls { syslog( ip(0.0.0.0) port(6514) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
However the following is not valid:
source s_tls6 { syslog( ip("::") port(6515) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
I've tried the ip with and without quotes with no luck. What am I doing wrong?
Unfortunately, syslog-ng defaults to IPv4, and even if you give it an IPv6 address, it will still try to handle it as if it was IPv4, unless you tell it not to. In syslog-ng 3.5, this is possible by adding ip-protocol(6) inside the syslog() statement. In versions prior to 3.5, it is not doable yet. But I'm considering teaching the host resolving code to not default to IPv4 by default (by using AF_UNSPEC, unless specified otherwise via ip-protocol or something similar). The problem is, all the current sources and destinations make a distinction between ipv4 and ipv6: tcp(), udp() and syslog() all enforce ipv4, while tcp6() and udp6() enforce ipv6... and there is no syslog6(). I do not want to change this in neither 3.3, nor 3.4, that would be too invasive, but for 3.5, I'd love to make the udp(), tcp() and syslog() statements ip protocol agnostic. That way, your config would just work out of the box, but would still allow one to limit to either ipv4 or ipv6 by specifying ip-protocol(N). -- |8]
The AF_UNSPEC idea is good, that would basically mean ip-protocol(auto) What about backporting ip-protocol to 3.4? That shouldn't be a big deal, and it's more of an omission than intended behavior. On Jul 4, 2013 1:07 PM, "Gergely Nagy" <algernon@balabit.hu> wrote:
Jeff Lange <jlange6648@gmail.com> writes:
I'm attempting to setup a TCP IPv6 source declaration that uses TLS but syslog-ng is not happy with the configuration file.
Long story short: syslog-ng 3.3 and 3.4 does not support syslog() over IPv6, 3.5 does, see below.
The following is what I use for IPv4 and it works fine:
source s_tls { syslog( ip(0.0.0.0) port(6514) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
However the following is not valid:
source s_tls6 { syslog( ip("::") port(6515) transport( "tls" ) tls ( key_file("/srv/syslog-ng/certs/priv-key.pem") cert_file("/srv/syslog-ng/certs/id-cert.pem") ca_dir("/srv/syslog-ng/certs") cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS") ) ); };
I've tried the ip with and without quotes with no luck. What am I doing wrong?
Unfortunately, syslog-ng defaults to IPv4, and even if you give it an IPv6 address, it will still try to handle it as if it was IPv4, unless you tell it not to.
In syslog-ng 3.5, this is possible by adding ip-protocol(6) inside the syslog() statement. In versions prior to 3.5, it is not doable yet. But I'm considering teaching the host resolving code to not default to IPv4 by default (by using AF_UNSPEC, unless specified otherwise via ip-protocol or something similar).
The problem is, all the current sources and destinations make a distinction between ipv4 and ipv6: tcp(), udp() and syslog() all enforce ipv4, while tcp6() and udp6() enforce ipv6... and there is no syslog6().
I do not want to change this in neither 3.3, nor 3.4, that would be too invasive, but for 3.5, I'd love to make the udp(), tcp() and syslog() statements ip protocol agnostic. That way, your config would just work out of the box, but would still allow one to limit to either ipv4 or ipv6 by specifying ip-protocol(N).
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Gergely Nagy
-
Jeff Lange