Re: syslogd in 7.4 no longer likes self signed certificates for TLS remote logging

Hi

On 09/10/2023 19:59, Peter N. M. Hansteen wrote:
> You are aware that OpenBSD 7.4 has not been released yet, right?
Of course.
>
> On Mon, Oct 09, 2023 at 06:42:02PM +0200, Noth wrote:
>>   This wasn't covered in http://www.openbsd.org/plus74.html . I have a setup
>> where various OpenBSD instances log via TLS to a central logger, using self
>> signed certificates I generated locally (10 year validity). Both the server
>> and the clients verify each other using the -c & -s options for syslogd on
>> the clients and -K for the server.
>>
>>   I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3
>> routers are still able to connect via TLS but the 7.4 VMs can't as they
>> don't like the self signed certs. It'd be nice if this was in the
>> upgrade74.html with some explanation of why this changed.
> Actually, if you built from source from a recent -current (HEAD) checkout,
> what you got was just that: something that is close to what will be 7.4-release,
> (a matter of weeks if not days), but not actually 7.4-release or -stable.
I downloaded 7.4 from CVS last Wednesday and built it. I don't use
-current. I am aware it's not officially released yet but it's close to
being.
>>   Is my path to getting all this working again the way it was to use Let's
>> Encrypt certificates?
> It's hard to tell the exact cause of your problem since you do not provice crucial
> data such as any error messages that would appear in a log somewhere.
>
> We also do not know much about your configuration or what requirements the setup
> is supposed to fill. But sure, in quite a number of situations auto-reneweing
> Let's Encrypt certificates would be a serviceable solution.
>
> - Peter

client side /etc/rc.conf.local snippet:

syslogd_flags=-c /etc/ssl/buildhost.domain.local.crt -k
/etc/ssl/private/buildhost.domain.local.key

client side /etc/syslog.conf snippet:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none
@tls://loghost.domain.local
auth,daemon,syslog,user.info;authpriv,kern.debug @tls://loghost.domain.local

Error message for client is: Oct  9 21:30:50 buildhost syslogd[42102]:
loghost "@tls://loghost.domain.local" connection error: certificate
verification failed: self signed certificate in certificate chain

server side rc.conf.local snippet:

syslogd_flags=-u -T 192.168.50.30:514 -S loghost.domain.local -S
192.168.0.30 -K /etc/ssl/ca.crt


Error server side is: Oct  9 21:31:20 loghost syslogd[39364]: tls logger
"192.168.0.14:43535" connection error: handshake failed:
error:14039418:SSL routines:ACCEPT_SR_CERT_VRFY:tlsv1 alert unknown ca

I hope this illustrates it a bit better.

Cheers,

Noth