diff --git a/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch b/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch new file mode 100644 index 0000000..886e174 --- /dev/null +++ b/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch @@ -0,0 +1,23 @@ +--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html 2021-02-15 12:53:30.000000000 +0100 ++++ rsyslog-8.2102.0/doc/configuration/global/index.html 2022-09-07 13:32:10.426621438 +0200 +@@ -119,6 +119,13 @@ + network stream driver to use. + Defaults to ptcp.

+ ++
  • $NetstreamDriverCAExtraFiles </path/to/extracafile.pem> - ++This directive allows to configure multiple additional extra CA files. ++This is intended for SSL certificate chains to work appropriately, ++as the different CA files in the chain need to be specified. ++It must be remarked that this directive only works with the OpenSSL driver. ++

    ++
  • +
  • $DefaultNetstreamDriverCAFile </path/to/cafile.pem>

    +
  • +
  • $DefaultNetstreamDriverCertFile </path/to/certfile.pem>

    +@@ -311,4 +318,4 @@ + + +- +\ No newline at end of file ++ diff --git a/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch b/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch new file mode 100644 index 0000000..2308b7f --- /dev/null +++ b/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch @@ -0,0 +1,134 @@ +--- rsyslog-8.2102.0.ori/runtime/glbl.h 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.h 2022-09-07 13:32:51.623799582 +0200 +@@ -72,6 +72,7 @@ + SIMP_PROP(DfltNetstrmDrvrCAF, uchar*) + SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*) + SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*) ++ SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*) + SIMP_PROP(ParserControlCharacterEscapePrefix, uchar) + SIMP_PROP(ParserDropTrailingLFOnReception, int) + SIMP_PROP(ParserEscapeControlCharactersOnReceive, int) +--- rsyslog-8.2102.0.ori/runtime/glbl.c 2022-09-07 13:17:02.669696053 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.c 2022-09-07 13:56:37.678966129 +0200 +@@ -122,6 +122,7 @@ + static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */ + static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */ + static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */ ++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */ + int bTerminateInputs = 0; /* global switch that inputs shall terminate ASAP (1=> terminate) */ + static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */ + static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */ +@@ -176,6 +177,7 @@ + { "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 }, + { "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 }, + { "defaultnetstreamdriver", eCmdHdlrString, 0 }, ++ { "netstreamdrivercaextrafiles", eCmdHdlrString, 0 }, + { "maxmessagesize", eCmdHdlrSize, 0 }, + { "oversizemsg.errorfile", eCmdHdlrGetWord, 0 }, + { "oversizemsg.report", eCmdHdlrBinary, 0 }, +@@ -307,6 +309,8 @@ + /* TODO: use custom function which frees existing value */ + SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*) + /* TODO: use custom function which frees existing value */ ++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*) ++/* TODO: use custom function which frees existing value */ + + #undef SIMP_PROP + #undef SIMP_PROP_SET +@@ -838,6 +842,12 @@ + return(pszDfltNetstrmDrvrCAF); + } + ++/* return the extra CA Files, if needed */ ++static uchar* ++GetNetstrmDrvrCAExtraFiles(void) ++{ ++ return(pszNetstrmDrvrCAExtraFiles); ++} + + /* return the current default netstream driver key File */ + static uchar* +@@ -925,6 +935,7 @@ + SIMP_PROP(DfltNetstrmDrvrCAF) + SIMP_PROP(DfltNetstrmDrvrKeyFile) + SIMP_PROP(DfltNetstrmDrvrCertFile) ++ SIMP_PROP(NetstrmDrvrCAExtraFiles) + #ifdef USE_UNLIMITED_SELECT + SIMP_PROP(FdSetSize) + #endif +@@ -941,6 +952,8 @@ + pszDfltNetstrmDrvr = NULL; + free(pszDfltNetstrmDrvrCAF); + pszDfltNetstrmDrvrCAF = NULL; ++ free(pszNetstrmDrvrCAExtraFiles); ++ pszNetstrmDrvrCAExtraFiles = NULL; + free(pszDfltNetstrmDrvrKeyFile); + pszDfltNetstrmDrvrKeyFile = NULL; + free(pszDfltNetstrmDrvrCertFile); +@@ -1350,6 +1363,9 @@ + free(pszDfltNetstrmDrvr); + pszDfltNetstrmDrvr = (uchar*) + es_str2cstr(cnfparamvals[i].val.d.estr, NULL); ++ } else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) { ++ free(pszNetstrmDrvrCAExtraFiles); ++ pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL); + } else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) { + bPreserveFQDN = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, +@@ -1546,6 +1562,8 @@ + &pszDfltNetstrmDrvrKeyFile, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL, + &pszDfltNetstrmDrvrCertFile, NULL)); ++ CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL, ++ &pszNetstrmDrvrCAExtraFiles, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL)); +--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c 2022-09-07 13:17:02.705696208 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-09-07 14:09:18.697256943 +0200 +@@ -88,6 +88,7 @@ + static short bHaveCA; + static short bHaveCert; + static short bHaveKey; ++static short bHaveExtraCAFiles; + static int bAnonInit; + static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER; + +@@ -414,7 +415,8 @@ + { + DEFiRet; + DBGPRINTF("openssl: entering osslGlblInit\n"); +- const char *caFile, *certFile, *keyFile; ++ const char *caFile, *certFile, *keyFile, *extraCaFile; ++ char *extraCaFiles; + + /* Setup OpenSSL library */ + if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) { +@@ -451,9 +453,27 @@ + } else { + bHaveKey = 1; + } ++ extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles(); ++ if(extraCaFiles == NULL) { ++ bHaveExtraCAFiles = 0; ++ } else { ++ bHaveExtraCAFiles = 1; ++ } + + /* Create main CTX Object */ + ctx = SSL_CTX_new(SSLv23_method()); ++ if(bHaveExtraCAFiles == 1) { ++ while((extraCaFile = strsep(&extraCaFiles, ","))) { ++ if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) { ++ LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. " ++ "Check at least: 1) file path is correct, 2) file exist, " ++ "3) permissions are correct, 4) file content is correct. " ++ "Open ssl error info may follow in next messages"); ++ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit"); ++ ABORT_FINALIZE(RS_RET_TLS_CERT_ERR); ++ } ++ } ++ } + if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) { + LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. " + "Check at least: 1) file path is correct, 2) file exist, " diff --git a/rsyslog.spec b/rsyslog.spec index 7a10898..04997b5 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -6,7 +6,7 @@ Summary: Enhanced system logging and kernel message trapping daemon Name: rsyslog Version: 8.2102.0 -Release: 10%{?dist} +Release: 11%{?dist} License: (GPLv3+ and ASL 2.0) Group: System Environment/Daemons ExcludeArch: i686 @@ -64,6 +64,8 @@ Patch12: rsyslog-8.2102.0-nsd_ossl-memory-leak.patch Patch13: rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch Patch14: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch Patch15: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch +Patch16: rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch +Patch17: rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch %package crypto Summary: Encryption support @@ -304,6 +306,8 @@ mv build doc %patch13 -p1 -b .ossl-ciphers-behaviour %patch14 -p1 -b .CVE-24903 %patch15 -p1 -b .gnutls-error-handling +%patch16 -p1 -b .extra-ca-files +%patch17 -p1 -b .extra-ca-files-doc %build %ifarch sparc64 @@ -548,6 +552,10 @@ done %{_libdir}/rsyslog/omudpspoof.so %changelog +* Tue Sep 06 2022 Sergio Arroutbi - 8.2102.0-11 +- Enable multiple SSL CA files + resolves: rhbz#2124934 + * Wed Apr 13 2022 Attila Lakatos - 8.2102.0-10 - openssl: Correct gnutlsPriorityString (custom ciphers) behaviour - Fix error handling in gtlsRecordRecv that can cause 100 percent CPU usage