Logstash input TCP with TLS and handshake

alesnav · December 28, 2016, 9:57am

Hello there!

I am trying to set up Logstash input TCP plugin with TLS enabled to receive logs from rsyslog using rsyslog-gnutls; and encountered one problem related to SSL handshake.

I tried with gnutls and openssl with the same result...

Can anyone help me with the troubleshooting?

The CA certificate is part of the trust store, by putting it in /etc/pki/ca-trust/source/anchors/ and execute update-ca-trust.

OS is CentOS 7.3.1611.

[root@siemlr01 ~]# yum info logstash
Installed Packages
Name        : logstash
Arch        : noarch
Epoch       : 1
Version     : 5.1.1
Release     : 1
Size        : 166 M
Repo        : installed
From repo   : elastic-5.x
Summary     : An extensible logging pipeline
URL         : http://www.elasticsearch.org/overview/logstash/
License     : ASL 2.0
Description : An extensible logging pipeline

Plugin version: logstash-input-tcp-4.1.0

Logstash input tcp configuration (tested with and without adding CA pem as ssl_extra_chain_certs; and with full chain or just the cert as ssl_cert -- same final result):

[root@siemlr01 ~]# cat /etc/logstash/conf.d/input-tcp.conf
input {
        tcp {
                port => 1443
                mode => "server"
                ssl_enable => true
                #ssl_cert => "/etc/tls/chain.pem"
                ssl_cert => "/etc/tls/XX.pem"
                ssl_extra_chain_certs => "/etc/tls/XXCA.pem"
                ssl_key => "/etc/tls/XX.key"
                ssl_key_passphrase => "XX"
                ssl_verify => true
                add_field => {
                        "type" => "ssl"
                        "logsourcetype" => "linux"
                }
        }
}
[root@siemlr01 ~]#

alesnav · December 28, 2016, 9:57am

gnutls test: http://pastebin.com/raw/kWNRTSr6

OpenSSL test:

[root@siemlr01 ~]# openssl s_client -connect XX:1443 -tls1_2
CONNECTED(00000003)
depth=1 C = XX, ST = XX, O = XX, CN = XXCA, emailAddress = XX@XX
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX, emailAddress = XX@XX
verify return:1
140365432276896:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
Certificate chain
 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX/emailAddress=XX@XX
   i:/C=XX/ST=XX/O=XX/CN=XXCA/emailAddress=XX@XX
 1 s:/C=XX/ST=XX/O=XX/CN=XXCA/emailAddress=XX@XX
   i:/C=XX/ST=XX/O=XX/CN=XXCA/emailAddress=XX@XX
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=XXS/ST=XX/L=XX/O=XX/CNXX/emailAddress=XX@XX
issuer=/C=XX/ST=XX/O=XX/CN=XXCA/emailAddress=XX@XX
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2444 bytes and written 230 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: [...]
    Session-ID-ctx:
    Master-Key: [...]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1482917415
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
[root@siemlr01 ~]#

alesnav · December 28, 2016, 12:54pm

It seems to be this part:

Logstash want to receive a client certificate to allow the connection, but we have none because we want just to encrypt the connection without authentication.

Setting ssl_verify to false has fixed my problem.

Thanks!

system · January 25, 2017, 12:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.