You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by bp123 <br...@gmail.com> on 2018/06/26 19:53:32 UTC
Rsyslog v8.24 to Nifi 1.6.0 with TLS
Hello,I am trying to send syslog events from centos 7 running rsyslog 8.24 to
NiFi ListenSyslog processor. I have created the required certs and placed
them in rsyslog and NiFi keystore. My issue is that the TLS connection is
not working. Here is my rsyslog configuration:#TLS
setup$DefaultNetstreamDriver gtls # use gtls netstream
driver$DefaultNetstreamDriverCAFile
/root/rsyslog/ca.pem$DefaultNetstreamDriverCertFile
/root/rsyslog/deleteme-rsyslog-client-cert.pem$DefaultNetstreamDriverKeyFile
/root/rsyslog/deleteme-rsyslog-client-key.pem$ActionSendStreamDriverMode 1 #
run driver in TLS-only mode$ActionSendStreamDriverAuthMode anon # server is
NOT authenticated$ActionQueueFileName fwdRule1 # unique name prefix for
spool files$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as
possible)$ActionQueueSaveOnShutdown on # save messages to disk on
shutdown$ActionQueueType LinkedList # run
asynchronously$ActionResumeRetryCount -1 # infinite retries if host is
down*.* @@192.168.0.126:6514;RSYSLOG_SyslogProtocol23FormatI have a JKS with
the CA cert and the server public/private keys that is loaded into NiFi. The
error I am seeing on the rsyslog side is:Jun 26 13:21:30 hostname rsyslogd:
unexpected GnuTLS error -110 in nsd_gtls.c:1755: The TLS connection was
non-properly terminated. [v8.24.0 try http://www.rsyslog.com/e/2078 ]The
error on the NiFi side is:2018-06-26 11:32:47,139 ERROR [pool-46-thread-2]
o.a.n.r.io.socket.ssl.SSLSocketChannel
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel@342539b8 Failed to
connect due to {}javax.net.ssl.SSLHandshakeException: no cipher suites in
common at
sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) at
sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at
javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:210)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:163)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545)
at
org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by:
javax.net.ssl.SSLHandshakeException: no cipher suites in common at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) at
sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1115)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:807)
at
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:228)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at
sun.security.ssl.Handshaker$1.run(Handshaker.java:992) at
sun.security.ssl.Handshaker$1.run(Handshaker.java:989) at
java.security.AccessController.doPrivileged(Native Method) at
sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performTasks(SSLSocketChannel.java:273)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:259)
... 7 common frames omitted2018-06-26 11:32:47,140 ERROR [pool-46-thread-2]
o.a.n.processors.standard.ListenSyslog
ListenSyslog[id=01641000-173f-1aa4-f5da-bff8f278184d] Error reading from
channel due to Inbound closed before receiving peer's close_notify: possible
truncation attack?: javax.net.ssl.SSLException: Inbound closed before
receiving peer's close_notify: possible truncation
attack?javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack? at
sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at
sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at
sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at
sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:177)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545)
at
org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)I recognize that NiFi is saying that
no cipher suites in common, but I have not found a way to adjust cipher
suites in rsyslog. I was able to setup HA proxy SSL termination with the
same certificates and the traffic worked just fine. I wanted to use the
StandardSSLContextService 1.6.0 instead of the
StandardRestrictedSSLContextService 1.6.0 Any thoughts?
--
Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
Re: Rsyslog v8.24 to Nifi 1.6.0 with TLS
Posted by bp123 <br...@gmail.com>.
Thanks Andy, my end resolution was to use HAProxy to terminate the SSL
connection. Thanks!
--
Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
Re: Rsyslog v8.24 to Nifi 1.6.0 with TLS
Posted by Andy LoPresto <al...@apache.org>.
Hi Brad,
I am not sure what protocols rsyslog 8.24 has available (from a brief examination, it appears syslog uses gtls (GnuTLS) [1][2] for the underlying SSL/TLS library). Apache NiFi 1.2.0 and above cannot accept incoming TLS connections (“listen for”) protocols below TLS v1.2. The version of Jetty which hosts the internal web server excludes these previous protocol versions by default, which is why the StandardRestrictedSSLContextService was introduced.
You should do a little more investigation to determine what TLS protocol versions are supported by your combination of rsyslog and GnuTLS. You may need to upgrade the versions in order to be able to communicate with NiFi directly.
If you cannot change the rsyslog setup, you may be able to introduce a proxy server between that source and NiFi which performs TLS termination and re-establishes a TLS connection using TLS v1.2. You could also manually override the Jetty configuration using custom cipher suites, but we do not provide instructions on doing that, as it would weaken the security stance of NiFi.
Hope this helps.
[1] http://www.l3jane.net/doc/rsyslog/tutorials/tls.html <http://www.l3jane.net/doc/rsyslog/tutorials/tls.html>
[2] https://www.rsyslog.com/doc/master/tutorials/tls_cert_errmsgs.html <https://www.rsyslog.com/doc/master/tutorials/tls_cert_errmsgs.html>
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Jun 26, 2018, at 1:01 PM, bp123 <br...@gmail.com> wrote:
>
> Sorry for the formatting errors.
>
> Hello,I am trying to send syslog events from centos 7 running rsyslog 8.24
> to NiFi ListenSyslog processor. I have created the required certs and placed
> them in rsyslog and NiFi keystore. My issue is that the TLS connection is
> not working. Here is my rsyslog configuration:
>
> #TLS setup
> $DefaultNetstreamDriver gtls # use gtls netstream driver
> $DefaultNetstreamDriverCAFile /root/rsyslog/ca.pem
> $DefaultNetstreamDriverCertFile
> /root/rsyslog/deleteme-rsyslog-client-cert.pem
> $DefaultNetstreamDriverKeyFile /root/rsyslog/deleteme-rsyslog-client-key.pem
> $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
> $ActionSendStreamDriverAuthMode anon # server is NOT authenticated
>
> $ActionQueueFileName fwdRule1 # unique name prefix for spool files
> $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueType LinkedList # run asynchronously
> $ActionResumeRetryCount -1 # infinite retries if host is down
> *.* @@192.168.0.126:6514;RSYSLOG_SyslogProtocol23Format
>
> I have a JKS with the CA cert and the server public/private keys that is
> loaded into NiFi. The error I am seeing on the rsyslog side is:
>
> Jun 26 13:22:01 fluentd rsyslogd: unexpected GnuTLS error -110 in
> nsd_gtls.c:1755: The TLS connection was non-properly terminated. [v8.24.0
> try http://www.rsyslog.com/e/2078 <http://www.rsyslog.com/e/2078> ]
>
> The error on the NiFi side is:
>
> 2018-06-26 11:32:47,139 ERROR [pool-46-thread-2]
> o.a.n.r.io.socket.ssl.SSLSocketChannel
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel@342539b8 Failed to
> connect due to {}
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
> at
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:210)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:163)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545)
> at
> org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
> at
> sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1115)
> at
> sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:807)
> at
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:228)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performTasks(SSLSocketChannel.java:273)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:259)
> ... 7 common frames omitted
> 2018-06-26 11:32:47,140 ERROR [pool-46-thread-2]
> o.a.n.processors.standard.ListenSyslog
> ListenSyslog[id=01641000-173f-1aa4-f5da-bff8f278184d] Error reading from
> channel due to Inbound closed before receiving peer's close_notify: possible
> truncation attack?: javax.net.ssl.SSLException: Inbound closed before
> receiving peer's close_notify: possible truncation attack?
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
> at
> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:177)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545)
> at
> org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>
>
> I recognize that NiFi is saying that no cipher suites in common, but I have
> not found a way to adjust cipher suites in rsyslog. I was able to setup HA
> proxy SSL termination with the same certificates and the traffic worked just
> fine. I wanted to use the StandardSSLContextService 1.6.0 instead of the
> StandardRestrictedSSLContextService 1.6.0 Any thoughts?
>
>
>
>
>
> --
> Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/ <http://apache-nifi-users-list.2361937.n4.nabble.com/>
Re: Rsyslog v8.24 to Nifi 1.6.0 with TLS
Posted by bp123 <br...@gmail.com>.
Sorry for the formatting errors.
Hello,I am trying to send syslog events from centos 7 running rsyslog 8.24
to NiFi ListenSyslog processor. I have created the required certs and placed
them in rsyslog and NiFi keystore. My issue is that the TLS connection is
not working. Here is my rsyslog configuration:
#TLS setup
$DefaultNetstreamDriver gtls # use gtls netstream driver
$DefaultNetstreamDriverCAFile /root/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile
/root/rsyslog/deleteme-rsyslog-client-cert.pem
$DefaultNetstreamDriverKeyFile /root/rsyslog/deleteme-rsyslog-client-key.pem
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.* @@192.168.0.126:6514;RSYSLOG_SyslogProtocol23Format
I have a JKS with the CA cert and the server public/private keys that is
loaded into NiFi. The error I am seeing on the rsyslog side is:
Jun 26 13:22:01 fluentd rsyslogd: unexpected GnuTLS error -110 in
nsd_gtls.c:1755: The TLS connection was non-properly terminated. [v8.24.0
try http://www.rsyslog.com/e/2078 ]
The error on the NiFi side is:
2018-06-26 11:32:47,139 ERROR [pool-46-thread-2]
o.a.n.r.io.socket.ssl.SSLSocketChannel
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel@342539b8 Failed to
connect due to {}
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
at
sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at
sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:210)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:163)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545)
at
org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at
sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1115)
at
sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:807)
at
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:228)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performTasks(SSLSocketChannel.java:273)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:259)
... 7 common frames omitted
2018-06-26 11:32:47,140 ERROR [pool-46-thread-2]
o.a.n.processors.standard.ListenSyslog
ListenSyslog[id=01641000-173f-1aa4-f5da-bff8f278184d] Error reading from
channel due to Inbound closed before receiving peer's close_notify: possible
truncation attack?: javax.net.ssl.SSLException: Inbound closed before
receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at
sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:177)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:552)
at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:545)
at
org.apache.nifi.processor.util.listen.handler.socket.SSLSocketChannelHandler.run(SSLSocketChannelHandler.java:76)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
I recognize that NiFi is saying that no cipher suites in common, but I have
not found a way to adjust cipher suites in rsyslog. I was able to setup HA
proxy SSL termination with the same certificates and the traffic worked just
fine. I wanted to use the StandardSSLContextService 1.6.0 instead of the
StandardRestrictedSSLContextService 1.6.0 Any thoughts?
--
Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/