27 changed files with 2654 additions and 2418 deletions
--- a/SOURCES/openssl3-compatibility.patch
+++ b/SOURCES/openssl3-compatibility.patch
@ -1,83 +0,0 @@
-diff -up ./qpid-proton-0.34.0/c/src/ssl/openssl.c.orig ./qpid-proton-0.34.0/c/src/ssl/openssl.c
--- ./qpid-proton-0.34.0/c/src/ssl/openssl.c.orig	2021-06-01 09:29:27.976842727 +0200
-+++ ./qpid-proton-0.34.0/c/src/ssl/openssl.c	2021-06-01 09:31:05.232015887 +0200
-@@ -353,65 +353,6 @@ static int verify_callback(int preverify
-   return preverify_ok;
- }
- 
-// This was introduced in v1.1
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
-  dh->p = p;
-  dh->q = q;
-  dh->g = g;
-  return 1;
-}
-#endif
-
-// this code was generated using the command:
-// "openssl dhparam -C -2 2048"
-static DH *get_dh2048(void)
-{
-  static const unsigned char dhp_2048[]={
-    0xAE,0xF7,0xE9,0x66,0x26,0x7A,0xAC,0x0A,0x6F,0x1E,0xCD,0x81,
-    0xBD,0x0A,0x10,0x7E,0xFA,0x2C,0xF5,0x2D,0x98,0xD4,0xE7,0xD9,
-    0xE4,0x04,0x8B,0x06,0x85,0xF2,0x0B,0xA3,0x90,0x15,0x56,0x0C,
-    0x8B,0xBE,0xF8,0x48,0xBB,0x29,0x63,0x75,0x12,0x48,0x9D,0x7E,
-    0x7C,0x24,0xB4,0x3A,0x38,0x7E,0x97,0x3C,0x77,0x95,0xB0,0xA2,
-    0x72,0xB6,0xE9,0xD8,0xB8,0xFA,0x09,0x1B,0xDC,0xB3,0x80,0x6E,
-    0x32,0x0A,0xDA,0xBB,0xE8,0x43,0x88,0x5B,0xAB,0xC3,0xB2,0x44,
-    0xE1,0x95,0x85,0x0A,0x0D,0x13,0xE2,0x02,0x1E,0x96,0x44,0xCF,
-    0xA0,0xD8,0x46,0x32,0x68,0x63,0x7F,0x68,0xB3,0x37,0x52,0xCE,
-    0x3A,0x4E,0x48,0x08,0x7F,0xD5,0x53,0x00,0x59,0xA8,0x2C,0xCB,
-    0x51,0x64,0x3D,0x5F,0xEF,0x0E,0x5F,0xE6,0xAF,0xD9,0x1E,0xA2,
-    0x35,0x64,0x37,0xD7,0x4C,0xC9,0x24,0xFD,0x2F,0x75,0xBB,0x3A,
-    0x15,0x82,0x76,0x4D,0xC2,0x8B,0x1E,0xB9,0x4B,0xA1,0x33,0xCF,
-    0xAA,0x3B,0x7C,0xC2,0x50,0x60,0x6F,0x45,0x69,0xD3,0x6B,0x88,
-    0x34,0x9B,0xE4,0xF8,0xC6,0xC7,0x5F,0x10,0xA1,0xBA,0x01,0x8C,
-    0xDA,0xD1,0xA3,0x59,0x9C,0x97,0xEA,0xC3,0xF6,0x02,0x55,0x5C,
-    0x92,0x1A,0x39,0x67,0x17,0xE2,0x9B,0x27,0x8D,0xE8,0x5C,0xE9,
-    0xA5,0x94,0xBB,0x7E,0x16,0x6F,0x53,0x5A,0x6D,0xD8,0x03,0xC2,
-    0xAC,0x7A,0xCD,0x22,0x98,0x8E,0x33,0x2A,0xDE,0xAB,0x12,0xC0,
-    0x0B,0x7C,0x0C,0x20,0x70,0xD9,0x0B,0xAE,0x0B,0x2F,0x20,0x9B,
-    0xA4,0xED,0xFD,0x49,0x0B,0xE3,0x4A,0xF6,0x28,0xB3,0x98,0xB0,
-    0x23,0x1C,0x09,0x33,
-  };
-  static const unsigned char dhg_2048[]={
-    0x02,
-  };
-  DH *dh = DH_new();
-  BIGNUM *dhp_bn, *dhg_bn;
-
-  if (dh == NULL)
-    return NULL;
-  dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
-  dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
-  if (dhp_bn == NULL || dhg_bn == NULL
-      || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
-    DH_free(dh);
-    BN_free(dhp_bn);
-    BN_free(dhg_bn);
-    return NULL;
-  }
-  return dh;
-}
-
- typedef struct {
-   char *id;
-   SSL_SESSION *session;
-@@ -542,13 +483,6 @@ static bool pni_init_ssl_domain( pn_ssl_
-   domain->default_seclevel = SSL_CTX_get_security_level(domain->ctx);
- # endif
- 
-  DH *dh = get_dh2048();
-  if (dh) {
-    SSL_CTX_set_tmp_dh(domain->ctx, dh);
-    DH_free(dh);
-    SSL_CTX_set_options(domain->ctx, SSL_OP_SINGLE_DH_USE);
-  }
-
-   return true;
- }
- 
--- a/SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch
+++ b/SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch
@ -1,67 +0,0 @@
-diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-02-17 11:52:17.460043970 +0100
-+++ rsyslog-8.2102.0/runtime/rsconf.c	2023-02-17 12:00:49.881602881 +0100
-@@ -33,9 +33,6 @@
- #include <sys/resource.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-#ifdef ENABLE_LIBCAPNG
-	#include <cap-ng.h>
-#endif
- 
- #include "rsyslog.h"
- #include "obj.h"
-@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
- 	uchar szBuf[1024];
- 	DEFiRet;
- 
-#ifndef ENABLE_LIBCAPNG
-+
- 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
- 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
- 		if(res) {
-@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
- 				"could not set requested group id: %s via setgid()", szBuf);
- 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
- 	}
-#else
-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
-	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
-	if (res) {
-		LogError(0, RS_RET_LIBCAPNG_ERR,
-				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
-		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
-	}
-#endif
- 
- 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
- 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
-@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
- 				iUid, szBuf);
- 	}
- 
-#ifndef ENABLE_LIBCAPNG
-+
- 	res = setuid(iUid);
-	// res = setuid(cnf->globals.uidDropPriv);
-#else
-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
-	res = capng_change_id(iUid, -1, capng_flags);
-#endif
- 
- 	if(res) {
- 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
-diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-02-17 11:52:00.011011019 +0100
-+++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-02-17 11:58:37.322491823 +0100
-@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
- 		CAP_LEASE,
- 		CAP_NET_ADMIN,
- 		CAP_NET_BIND_SERVICE,
-		CAP_PERFMON,
- 		CAP_SETGID,
- 		CAP_SETUID,
-+		CAP_DAC_OVERRIDE,
- 		CAP_SYS_ADMIN,
- 		CAP_SYS_CHROOT,
- 		CAP_SYS_RESOURCE,
--- a/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch
+++ b/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch
@ -0,0 +1,908 @@
+diff --git a/plugins/imdiag/imdiag.c b/plugins/imdiag/imdiag.c
+index 3e27ee4d36..d57dd5661c 100644
+--- a/plugins/imdiag/imdiag.c
+++ b/plugins/imdiag/imdiag.c
+@@ -566,28 +566,33 @@ setInjectDelayMode(void __attribute__((unused)) *pVal, uchar *const pszMode)
+ }
+ 
+ 
+-static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+static rsRetVal
+addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ {
+	tcpLstnParams_t *cnf_params = NULL;
+ 	DEFiRet;
+ 
+-	if(pOurTcpsrv == NULL) {
+-		CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+-		CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
+-		CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+-		CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+-		CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+-		CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+-		CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+-		CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
+-		CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
+-		CHKiRet(tcpsrv.SetLstnPortFileName(pOurTcpsrv, pszLstnPortFileName));
+-		/* now set optional params, but only if they were actually configured */
+-		if(pszStrmDrvrAuthMode != NULL) {
+-			CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
+-		}
+-		if(pPermPeersRoot != NULL) {
+-			CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
+-		}
+	if(pOurTcpsrv != NULL) {
+		LogError(0, NO_ERRCODE, "imdiag: only a single listener is supported, "
+			"trying to add a second");
+		ABORT_FINALIZE(RS_RET_ERR);
+	}
+	CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+	CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+	CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
+	CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+	CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+	CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+	CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+	CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+	CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
+	CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
+	/* now set optional params, but only if they were actually configured */
+	if(pszStrmDrvrAuthMode != NULL) {
+		CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
+	}
+	if(pPermPeersRoot != NULL) {
+		CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
+ 	}
+ 
+ 	/* initialized, now add socket */
+@@ -595,7 +600,11 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
+ 						UCHAR_CONSTANT("imdiag") : pszInputName));
+ 	CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, (uchar*)"imdiag"));
+ 	/* we support octect-counted frame (constant 1 below) */
+-	tcpsrv.configureTCPListen(pOurTcpsrv, pNewVal, 1, NULL, pszLstnPortFileName);
+	cnf_params->pszPort = pNewVal;
+	cnf_params->bSuppOctetFram = 1;
+	CHKmalloc(cnf_params->pszLstnPortFileName = (const uchar*) strdup((const char*)pszLstnPortFileName));
+	tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
+	cnf_params = NULL;
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -603,7 +612,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
+ 		if(pOurTcpsrv != NULL)
+ 			tcpsrv.Destruct(&pOurTcpsrv);
+ 	}
+-	free(pNewVal);
+	free(cnf_params);
+ 	RETiRet;
+ }
+ 
+@@ -760,6 +769,7 @@ CODESTARTmodExit
+ 
+ 	/* free some globals to keep valgrind happy */
+ 	free(pszInputName);
+fprintf(stderr, "FINAL FREE %p\n", pszLstnPortFileName);
+ 	free(pszLstnPortFileName);
+ 	free(pszStrmDrvrAuthMode);
+ 
+diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c
+index e0cab01664..4041e88b14 100644
+--- a/plugins/imgssapi/imgssapi.c
+++ b/plugins/imgssapi/imgssapi.c
+@@ -334,34 +334,38 @@ static rsRetVal
+ actGSSListener(uchar *port)
+ {
+ 	DEFiRet;
+	tcpLstnParams_t *cnf_params = NULL;
+ 	gsssrv_t *pGSrv = NULL;
+ 
+-	if(pOurTcpsrv == NULL) {
+-		/* first create/init the gsssrv "object" */
+-		if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
+-			ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+-
+-		pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
+-		if(bPermitPlainTcp)
+-			pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
+-		/* gsssrv initialized */
+-
+-		CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+-		CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
+-		CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
+-		CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
+-		CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+-		CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+-		CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+-		CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
+-		CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+-		CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+-		CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+-		CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
+-		CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+-		tcpsrv.configureTCPListen(pOurTcpsrv, port, 1, NULL, NULL);
+-		CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
+-	}
+	assert(pOurTcpsrv == NULL);
+	CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+	/* first create/init the gsssrv "object" */
+	if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
+		ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+
+	pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
+	if(bPermitPlainTcp)
+		pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
+	/* gsssrv initialized */
+
+	CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+	CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
+	CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
+	CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
+	CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+	CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+	CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+	CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
+	CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+	CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+	CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+	CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
+	CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+	cnf_params->pszPort = port;
+	cnf_params->bSuppOctetFram = 1;
+	tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
+	CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
+	cnf_params = NULL;
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -370,6 +374,7 @@ actGSSListener(uchar *port)
+ 			tcpsrv.Destruct(&pOurTcpsrv);
+ 		free(pGSrv);
+ 	}
+	free(cnf_params);
+ 	RETiRet;
+ }
+ 
+diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
+index cf74d4c616..c336e6c24d 100644
+--- a/plugins/imtcp/imtcp.c
+++ b/plugins/imtcp/imtcp.c
+@@ -4,7 +4,7 @@
+  * File begun on 2007-12-21 by RGerhards (extracted from syslogd.c,
+  * which at the time of the rsyslog fork was BSD-licensed)
+  *
+- * Copyright 2007-2017 Adiscon GmbH.
+ * Copyright 2007-2020 Adiscon GmbH.
+  *
+  * This file is part of rsyslog.
+  *
+@@ -112,9 +112,7 @@ static struct configSettings_s {
+ } cs;
+ 
+ struct instanceConf_s {
+-	uchar *pszBindPort;		/* port to bind to */
+-	uchar *pszLstnPortFileName;	/* file dynamic port is written to */
+-	uchar *pszBindAddr;             /* IP to bind socket to */
+	tcpLstnParams_t *cnf_params;	/**< listener config parameters */
+ 	uchar *pszBindRuleset;		/* name of ruleset to bind to */
+ 	ruleset_t *pBindRuleset;	/* ruleset to bind listener to (use system default if unspecified) */
+ 	uchar *pszInputName;		/* value for inputname property, NULL is OK and handled by core engine */
+@@ -122,7 +120,6 @@ struct instanceConf_s {
+ 	sbool bSPFramingFix;
+ 	unsigned int ratelimitInterval;
+ 	unsigned int ratelimitBurst;
+-	int bSuppOctetFram;
+ 	struct instanceConf_s *next;
+ };
+ 
+@@ -288,19 +285,20 @@ setPermittedPeer(void __attribute__((unused)) *pVal, uchar *pszID)
+ static rsRetVal
+ createInstance(instanceConf_t **pinst)
+ {
+-	instanceConf_t *inst;
+	instanceConf_t *inst = NULL;
+
+ 	DEFiRet;
+ 	CHKmalloc(inst = malloc(sizeof(instanceConf_t)));
+	CHKmalloc(inst->cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+ 	inst->next = NULL;
+ 	inst->pszBindRuleset = NULL;
+ 	inst->pszInputName = NULL;
+-	inst->pszBindAddr = NULL;
+ 	inst->dfltTZ = NULL;
+-	inst->bSuppOctetFram = -1; /* unset */
+	inst->cnf_params->bSuppOctetFram = -1; /* unset */
+ 	inst->bSPFramingFix = 0;
+ 	inst->ratelimitInterval = 0;
+ 	inst->ratelimitBurst = 10000;
+-	inst->pszLstnPortFileName = NULL;
+	inst->cnf_params->pszLstnPortFileName = NULL;
+ 
+ 	/* node created, let's add to config */
+ 	if(loadModConf->tail == NULL) {
+@@ -312,6 +310,9 @@ createInstance(instanceConf_t **pinst)
+ 
+ 	*pinst = inst;
+ finalize_it:
+	if(iRet != RS_RET_OK) {
+		free(inst);
+	}
+ 	RETiRet;
+ }
+ 
+@@ -328,7 +329,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 
+ 	CHKiRet(createInstance(&inst));
+ 
+-	CHKmalloc(inst->pszBindPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
+	CHKmalloc(inst->cnf_params->pszPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
+ 				 	       ? (uchar*) "10514" : pNewVal));
+ 	if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
+ 		inst->pszBindRuleset = NULL;
+@@ -336,14 +337,14 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 		CHKmalloc(inst->pszBindRuleset = ustrdup(cs.pszBindRuleset));
+ 	}
+ 	if((cs.lstnIP == NULL) || (cs.lstnIP[0] == '\0')) {
+-		inst->pszBindAddr = NULL;
+		inst->cnf_params->pszAddr = NULL;
+ 	} else {
+-		CHKmalloc(inst->pszBindAddr = ustrdup(cs.lstnIP));
+		CHKmalloc(inst->cnf_params->pszAddr = ustrdup(cs.lstnIP));
+ 	}
+ 	if((cs.lstnPortFile == NULL) || (cs.lstnPortFile[0] == '\0')) {
+-		inst->pszBindAddr = NULL;
+		inst->cnf_params->pszAddr = NULL;
+ 	} else {
+-		CHKmalloc(inst->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
+		CHKmalloc(inst->cnf_params->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
+ 	}
+ 
+ 	if((cs.pszInputName == NULL) || (cs.pszInputName[0] == '\0')) {
+@@ -351,7 +352,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 	} else {
+ 		CHKmalloc(inst->pszInputName = ustrdup(cs.pszInputName));
+ 	}
+-	inst->bSuppOctetFram = cs.bSuppOctetFram;
+	inst->cnf_params->bSuppOctetFram = cs.bSuppOctetFram;
+ 
+ finalize_it:
+ 	free(pNewVal);
+@@ -407,7 +408,7 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
+ 	}
+ 
+ 	/* initialized, now add socket and listener params */
+-	DBGPRINTF("imtcp: trying to add port *:%s\n", inst->pszBindPort);
+	DBGPRINTF("imtcp: trying to add port *:%s\n", inst->cnf_params->pszPort);
+ 	CHKiRet(tcpsrv.SetRuleset(pOurTcpsrv, inst->pBindRuleset));
+ 	CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, inst->pszInputName == NULL ?
+ 						UCHAR_CONSTANT("imtcp") : inst->pszInputName));
+@@ -416,12 +417,12 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
+ 	CHKiRet(tcpsrv.SetbSPFramingFix(pOurTcpsrv, inst->bSPFramingFix));
+ 	CHKiRet(tcpsrv.SetLinuxLikeRatelimiters(pOurTcpsrv, inst->ratelimitInterval, inst->ratelimitBurst));
+ 
+-	if((ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) == 0 && inst->pszLstnPortFileName == NULL)
+-			|| ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) < 0) {
+-		CHKmalloc(inst->pszBindPort = (uchar*)strdup("514"));
+	if((ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) == 0
+		&& inst->cnf_params->pszLstnPortFileName == NULL)
+			|| ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) < 0) {
+		CHKmalloc(inst->cnf_params->pszPort = (uchar*)strdup("514"));
+ 	}
+-	tcpsrv.configureTCPListen(pOurTcpsrv, inst->pszBindPort, inst->bSuppOctetFram,
+-		inst->pszBindAddr, inst->pszLstnPortFileName);
+	tcpsrv.configureTCPListen(pOurTcpsrv, inst->cnf_params);
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -456,9 +457,9 @@ CODESTARTnewInpInst
+ 		if(!pvals[i].bUsed)
+ 			continue;
+ 		if(!strcmp(inppblk.descr[i].name, "port")) {
+-			inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+			inst->cnf_params->pszPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "address")) {
+-			inst->pszBindAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+			inst->cnf_params->pszAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "name")) {
+ 			inst->pszInputName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "defaulttz")) {
+@@ -468,13 +469,13 @@ CODESTARTnewInpInst
+ 		} else if(!strcmp(inppblk.descr[i].name, "ruleset")) {
+ 			inst->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "supportoctetcountedframing")) {
+-			inst->bSuppOctetFram = (int) pvals[i].val.d.n;
+			inst->cnf_params->bSuppOctetFram = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "ratelimit.burst")) {
+ 			inst->ratelimitBurst = (unsigned int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "ratelimit.interval")) {
+ 			inst->ratelimitInterval = (unsigned int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "listenportfilename")) {
+-			inst->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+			inst->cnf_params->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else {
+ 			dbgprintf("imtcp: program error, non-handled "
+ 			  "param '%s'\n", inppblk.descr[i].name);
+@@ -656,7 +657,7 @@ std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, insta
+ {
+ 	LogError(0, NO_ERRCODE, "imtcp: ruleset '%s' for port %s not found - "
+ 			"using default ruleset instead", inst->pszBindRuleset,
+-			inst->pszBindPort);
+			inst->cnf_params->pszPort);
+ }
+ 
+ BEGINcheckCnf
+@@ -664,8 +665,8 @@ BEGINcheckCnf
+ CODESTARTcheckCnf
+ 	for(inst = pModConf->root ; inst != NULL ; inst = inst->next) {
+ 		std_checkRuleset(pModConf, inst);
+-		if(inst->bSuppOctetFram == FRAMING_UNSET)
+-			inst->bSuppOctetFram = pModConf->bSuppOctetFram;
+		if(inst->cnf_params->bSuppOctetFram == FRAMING_UNSET)
+			inst->cnf_params->bSuppOctetFram = pModConf->bSuppOctetFram;
+ 	}
+ 	if(pModConf->root == NULL) {
+ 		LogError(0, RS_RET_NO_LISTNERS , "imtcp: module loaded, but "
+@@ -713,12 +714,9 @@ CODESTARTfreeCnf
+ 		free(pModConf->permittedPeers);
+ 	}
+ 	for(inst = pModConf->root ; inst != NULL ; ) {
+-		free(inst->pszBindPort);
+-		free(inst->pszLstnPortFileName);
+-		free(inst->pszBindAddr);
+-		free(inst->pszBindRuleset);
+-		free(inst->pszInputName);
+-		free(inst->dfltTZ);
+		free((void*)inst->pszBindRuleset);
+		free((void*)inst->pszInputName);
+		free((void*)inst->dfltTZ);
+ 		del = inst;
+ 		inst = inst->next;
+ 		free(del);
+diff --git a/runtime/netstrm.c b/runtime/netstrm.c
+index 8a394a02eb..2c1db46378 100644
+--- a/runtime/netstrm.c
+++ b/runtime/netstrm.c
+@@ -12,12 +12,18 @@
+  * to carry out its work (including, and most importantly, transport
+  * drivers).
+  *
+ * Note on processing:
+ * - Initiating a listener may be driver-specific, but in regard to TLS/non-TLS
+ *   it actually is not. This is because TLS is negotiated after a connection
+ *   has been established. So it is the "acceptConnReq" driver entry where TLS
+ *   params need to be applied.
+ *
+  * Work on this module begun 2008-04-17 by Rainer Gerhards. This code
+  * borrows from librelp's tcp.c/.h code. librelp is dual licensed and
+  * Rainer Gerhards and Adiscon GmbH have agreed to permit using the code
+  * under the terms of the GNU Lesser General Public License.
+  *
+- * Copyright 2007-2009 Rainer Gerhards and Adiscon GmbH.
+ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -134,18 +140,17 @@ AcceptConnReq(netstrm_t *pThis, netstrm_t **ppNew)
+  * pLstnPort must point to a port name or number. NULL is NOT permitted.
+  * rgerhards, 2008-04-22
+  */
+-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pNS, netstrms);
+ 	assert(fAddLstn != NULL);
+-	assert(pLstnPort != NULL);
+	assert(cnf_params->pszPort != NULL);
+ 
+-	CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName));
+	CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params));
+ 
+ finalize_it:
+ 	RETiRet;
+diff --git a/runtime/netstrm.h b/runtime/netstrm.h
+index 2e28d7e2e6..4ca35805e7 100644
+--- a/runtime/netstrm.h
+++ b/runtime/netstrm.h
+@@ -1,6 +1,6 @@
+ /* Definitions for the stream-based netstrmworking class.
+  *
+- * Copyright 2007, 2008 Rainer Gerhards and Adiscon GmbH.
+ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -24,6 +24,7 @@
+ #ifndef INCLUDED_NETSTRM_H
+ #define INCLUDED_NETSTRM_H
+ 
+#include "tcpsrv.h"
+ #include "netstrms.h"
+ 
+ /* the netstrm object */
+@@ -31,6 +32,7 @@ struct netstrm_s {
+ 	BEGINobjInstance;	/* Data to implement generic object - MUST be the first data element! */
+ 	nsd_t *pDrvrData;	/**< the driver's data elements (at most other places, this is called pNsd) */
+ 	nsd_if_t Drvr;		/**< our stream driver */
+	uchar *pszDrvrAuthMode;	/**< auth mode of the stream driver to use */
+ 	void *pUsr;		/**< pointer to user-provided data structure */
+ 	netstrms_t *pNS;	/**< pointer to our netstream subsystem object */
+ };
+@@ -76,8 +78,8 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetKeepAliveIntvl)(netstrm_t *pThis, int keepAliveIntvl);
+ 	rsRetVal (*SetGnutlsPriorityString)(netstrm_t *pThis, uchar *priorityString);
+ 	/* v11 -- Parameter pszLstnFileName added to LstnInit*/
+-	rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+-		             uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
+	rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+			 const int iSessMax, const tcpLstnParams_t *const cnf_params);
+ 	/* v12 -- two new binary flags added to gtls driver enabling stricter operation */
+ 	rsRetVal (*SetDrvrCheckExtendedKeyUsage)(netstrm_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetDrvrPrioritizeSAN)(netstrm_t *pThis, int prioritizeSan);
+diff --git a/runtime/nsd.h b/runtime/nsd.h
+index e862348fd6..eecffed05e 100644
+--- a/runtime/nsd.h
+++ b/runtime/nsd.h
+@@ -84,8 +84,8 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetKeepAliveTime)(nsd_t *pThis, int keepAliveTime);
+ 	rsRetVal (*SetGnutlsPriorityString)(nsd_t *pThis, uchar *gnutlsPriorityString);
+ 	/* v12 -- parameter pszLstnPortFileName added to LstnInit()*/
+-	rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-				 uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
+	rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+			 const int iSessMax, const tcpLstnParams_t *const cnf_params);
+ 	/* v13 -- two new binary flags added to gtls driver enabling stricter operation */
+ 	rsRetVal (*SetCheckExtendedKeyUsage)(nsd_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetPrioritizeSAN)(nsd_t *pThis, int prioritizeSan);
+diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
+index da90c2e096..55f6713d62 100644
+--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
+@@ -1692,14 +1692,13 @@ Abort(nsd_t *pNsd)
+  * a session, but not during listener setup.
+  * gerhards, 2008-04-25
+  */
+-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 	CHKiRet(gtlsGlblInitLstn());
+-	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName);
+	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
+ finalize_it:
+ 	RETiRet;
+ }
+@@ -1785,6 +1784,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+ 		FINALIZE;
+ 	}
+ 	/* copy Properties to pnew first */
+dbgprintf("RGER: pThis %p pNew %p, authMode %d\n", pThis, pNew, pThis->authMode);
+ 	pNew->authMode = pThis->authMode;
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 431ea738b8..79347916e4 100644
+--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
+@@ -1308,16 +1308,15 @@ Abort(nsd_t *pNsd)
+  */
+ static rsRetVal
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 
+ 	dbgprintf("LstnInit for openssl: entering LstnInit (%p) for %s:%s SessMax=%d\n",
+-		fAddLstn, pLstnIP, pLstnPort, iSessMax);
+		fAddLstn, cnf_params->pszAddr, cnf_params->pszPort, iSessMax);
+ 
+ 	/* Init TCP Listener using base ptcp class */
+-	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP,
+-			iSessMax, pszLstnPortFileName);
+	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
+ 	RETiRet;
+ }
+ 
+diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
+index c35138fb7a..2f9e77ba03 100644
+--- a/runtime/nsd_ptcp.c
+++ b/runtime/nsd_ptcp.c
+@@ -474,10 +474,9 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+  * number of sessions permitted.
+  * rgerhards, 2008-04-22
+  */
+-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 	netstrm_t *pNewStrm = NULL;
+@@ -497,20 +496,20 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+ 
+ 	ISOBJ_TYPE_assert(pNS, netstrms);
+ 	assert(fAddLstn != NULL);
+-	assert(pLstnPort != NULL);
+	assert(cnf_params->pszPort != NULL);
+ 	assert(iSessMax >= 0);
+ 
+-	dbgprintf("creating tcp listen socket on port %s\n", pLstnPort);
+	dbgprintf("creating tcp listen socket on port %s\n", cnf_params->pszPort);
+ 
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_flags = AI_PASSIVE;
+ 	hints.ai_family = glbl.GetDefPFFamily();
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	error = getaddrinfo((char*)pLstnIP, (char*) pLstnPort, &hints, &res);
+	error = getaddrinfo((const char*)cnf_params->pszAddr, (const char*) cnf_params->pszPort, &hints, &res);
+ 	if(error) {
+ 		LogError(0, RS_RET_INVALID_PORT, "error querying port '%s': %s",
+-			pLstnPort, gai_strerror(error));
+			cnf_params->pszAddr, gai_strerror(error));
+ 		ABORT_FINALIZE(RS_RET_INVALID_PORT);
+ 	}
+ 
+@@ -622,9 +621,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+ 			r->ai_addrlen = socklen_r;
+ 			savecast.sa = (struct sockaddr*)r->ai_addr;
+ 			port_override = (isIPv6) ?  savecast.ipv6->sin6_port : savecast.ipv4->sin_port;
+-			if(pszLstnPortFileName != NULL) {
+			if(cnf_params->pszLstnPortFileName != NULL) {
+ 				FILE *fp;
+-				if((fp = fopen((const char*)pszLstnPortFileName, "w+")) == NULL) {
+				if((fp = fopen((const char*)cnf_params->pszLstnPortFileName, "w+")) == NULL) {
+ 					LogError(errno, RS_RET_IO_ERROR, "nsd_ptcp: ListenPortFileName: "
+ 							"error while trying to open file");
+ 					ABORT_FINALIZE(RS_RET_IO_ERROR);
+diff --git a/runtime/nsd_ptcp.h b/runtime/nsd_ptcp.h
+index 137b7c3ce7..1c91718c19 100644
+--- a/runtime/nsd_ptcp.h
+++ b/runtime/nsd_ptcp.h
+@@ -1,6 +1,6 @@
+ /* An implementation of the nsd interface for plain tcp sockets.
+  *
+- * Copyright 2007-2012 Adiscon GmbH.
+ * Copyright 2007-2020 Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -23,6 +23,7 @@
+ #define INCLUDED_NSD_PTCP_H
+ 
+ #include <sys/socket.h>
+#include "tcpsrv.h"
+ 
+ #include "nsd.h"
+ typedef nsd_if_t nsd_ptcp_if_t; /* we just *implement* this interface */
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 58528c81ec..845e944582 100644
+--- a/runtime/tcps_sess.c
+++ b/runtime/tcps_sess.c
+@@ -194,8 +194,8 @@ SetLstnInfo(tcps_sess_t *pThis, tcpLstnPortList_t *pLstnInfo)
+ 	assert(pLstnInfo != NULL);
+ 	pThis->pLstnInfo = pLstnInfo;
+ 	/* set cached elements */
+-	pThis->bSuppOctetFram = pLstnInfo->bSuppOctetFram;
+-	pThis->bSPFramingFix = pLstnInfo->bSPFramingFix;
+	pThis->bSuppOctetFram = pLstnInfo->cnf_params->bSuppOctetFram;
+	pThis->bSPFramingFix = pLstnInfo->cnf_params->bSPFramingFix;
+ 	RETiRet;
+ }
+ 
+@@ -235,6 +235,7 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcps_sess);
+	const tcpLstnParams_t *const cnf_params = pThis->pLstnInfo->cnf_params;
+ 	
+ 	if(pThis->iMsg == 0) {
+ 		DBGPRINTF("discarding zero-sized message\n");
+@@ -249,15 +250,15 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
+ 	/* we now create our own message object and submit it to the queue */
+ 	CHKiRet(msgConstructWithTime(&pMsg, stTime, ttGenTime));
+ 	MsgSetRawMsg(pMsg, (char*)pThis->pMsg, pThis->iMsg);
+-	MsgSetInputName(pMsg, pThis->pLstnInfo->pInputName);
+-	if(pThis->pLstnInfo->dfltTZ[0] != '\0')
+-		MsgSetDfltTZ(pMsg, (char*) pThis->pLstnInfo->dfltTZ);
+	MsgSetInputName(pMsg, cnf_params->pInputName);
+	if(cnf_params->dfltTZ[0] != '\0')
+		MsgSetDfltTZ(pMsg, (char*) cnf_params->dfltTZ);
+ 	MsgSetFlowControlType(pMsg, pThis->pSrv->bUseFlowControl
+ 			            ? eFLOWCTL_LIGHT_DELAY : eFLOWCTL_NO_DELAY);
+ 	pMsg->msgFlags  = NEEDS_PARSING | PARSE_HOSTNAME;
+ 	MsgSetRcvFrom(pMsg, pThis->fromHost);
+ 	CHKiRet(MsgSetRcvFromIP(pMsg, pThis->fromHostIP));
+-	MsgSetRuleset(pMsg, pThis->pLstnInfo->pRuleset);
+	MsgSetRuleset(pMsg, cnf_params->pRuleset);
+ 
+ 	STATSCOUNTER_INC(pThis->pLstnInfo->ctrSubmit, pThis->pLstnInfo->mutCtrSubmit);
+ 	ratelimitAddMsg(pThis->pLstnInfo->ratelimiter, pMultiSub, pMsg);
+diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
+index 76a50357c3..ab9573e5b8 100644
+--- a/runtime/tcpsrv.c
+++ b/runtime/tcpsrv.c
+@@ -123,9 +123,7 @@ static int wrkrRunning;
+  * rgerhards, 2009-05-21
+  */
+ static rsRetVal ATTR_NONNULL(1, 2)
+-addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+-	const int bSuppOctetFram, const uchar *const pszAddr,
+-	const uchar *const pszLstnPortFileName)
+addNewLstnPort(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
+ {
+ 	tcpLstnPortList_t *pEntry;
+ 	uchar statname[64];
+@@ -135,25 +133,17 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ 
+ 	/* create entry */
+ 	CHKmalloc(pEntry = (tcpLstnPortList_t*)calloc(1, sizeof(tcpLstnPortList_t)));
+-	CHKmalloc(pEntry->pszPort = ustrdup(pszPort));
+	pEntry->cnf_params = cnf_params;
+ 
+-	pEntry->pszAddr = NULL;
+-	/* only if a bind adress is defined copy it in struct */
+-	if (pszAddr != NULL) {
+-		CHKmalloc(pEntry->pszAddr = ustrdup(pszAddr));
+-	}
+-
+-	strcpy((char*)pEntry->dfltTZ, (char*)pThis->dfltTZ);
+-	pEntry->bSPFramingFix = pThis->bSPFramingFix;
+	strcpy((char*)pEntry->cnf_params->dfltTZ, (char*)pThis->dfltTZ);
+	pEntry->cnf_params->bSPFramingFix = pThis->bSPFramingFix;
+	pEntry->cnf_params->pRuleset = pThis->pRuleset;
+ 	pEntry->pSrv = pThis;
+-	pEntry->pRuleset = pThis->pRuleset;
+-	pEntry->bSuppOctetFram = bSuppOctetFram;
+-	pEntry->pszLstnPortFileName = pszLstnPortFileName;
+ 
+ 	/* we need to create a property */
+-	CHKiRet(prop.Construct(&pEntry->pInputName));
+-	CHKiRet(prop.SetString(pEntry->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
+-	CHKiRet(prop.ConstructFinalize(pEntry->pInputName));
+	CHKiRet(prop.Construct(&pEntry->cnf_params->pInputName));
+	CHKiRet(prop.SetString(pEntry->cnf_params->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
+	CHKiRet(prop.ConstructFinalize(pEntry->cnf_params->pInputName));
+ 
+ 	/* support statistics gathering */
+ 	CHKiRet(ratelimitNew(&pEntry->ratelimiter, "tcperver", NULL));
+@@ -161,7 +151,7 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ 	ratelimitSetThreadSafe(pEntry->ratelimiter);
+ 
+ 	CHKiRet(statsobj.Construct(&(pEntry->stats)));
+-	snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, pszPort);
+	snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, cnf_params->pszPort);
+ 	statname[sizeof(statname)-1] = '\0'; /* just to be on the save side... */
+ 	CHKiRet(statsobj.SetName(pEntry->stats, statname));
+ 	CHKiRet(statsobj.SetOrigin(pEntry->stats, pThis->pszOrigin));
+@@ -177,10 +167,8 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+ 		if(pEntry != NULL) {
+-			free(pEntry->pszAddr);
+-			free(pEntry->pszPort);
+-			if(pEntry->pInputName != NULL) {
+-				prop.Destruct(&pEntry->pInputName);
+			if(pEntry->cnf_params->pInputName != NULL) {
+				prop.Destruct(&pEntry->cnf_params->pInputName);
+ 			}
+ 			if(pEntry->ratelimiter != NULL) {
+ 				ratelimitDestruct(pEntry->ratelimiter);
+@@ -201,29 +189,25 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+  * rgerhards, 2008-03-20
+  */
+ static rsRetVal ATTR_NONNULL(1,2)
+-configureTCPListen(tcpsrv_t *const pThis,
+-	const uchar *const pszPort,
+-	const int bSuppOctetFram,
+-	const uchar *const pszAddr,
+-	const uchar *const pszLstnPortFileName)
+configureTCPListen(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
+ {
+	assert(cnf_params->pszPort != NULL);
+ 	int i;
+-	const uchar *pPort = pszPort;
+ 	DEFiRet;
+ 
+-	assert(pszPort != NULL);
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 
+ 	/* extract port */
+	const uchar *pPort = cnf_params->pszPort;
+ 	i = 0;
+ 	while(isdigit((int) *pPort)) {
+ 		i = i * 10 + *pPort++ - '0';
+ 	}
+ 
+ 	if(i >= 0 && i <= 65535) {
+-		CHKiRet(addNewLstnPort(pThis, pszPort, bSuppOctetFram, pszAddr, pszLstnPortFileName));
+		CHKiRet(addNewLstnPort(pThis, cnf_params));
+ 	} else {
+-		LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", pszPort);
+		LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", cnf_params->pszPort);
+ 	}
+ 
+ finalize_it:
+@@ -331,8 +315,11 @@ deinit_tcp_listener(tcpsrv_t *const pThis)
+ 	/* free list of tcp listen ports */
+ 	pEntry = pThis->pLstnPorts;
+ 	while(pEntry != NULL) {
+-		free(pEntry->pszPort);
+-		prop.Destruct(&pEntry->pInputName);
+		prop.Destruct(&pEntry->cnf_params->pInputName);
+		free((void*)pEntry->cnf_params->pszPort);
+		free((void*)pEntry->cnf_params->pszAddr);
+		free((void*)pEntry->cnf_params->pszLstnPortFileName);
+		free((void*)pEntry->cnf_params);
+ 		ratelimitDestruct(pEntry->ratelimiter);
+ 		statsobj.Destruct(&(pEntry->stats));
+ 		pDel = pEntry;
+@@ -373,22 +360,21 @@ addTcpLstn(void *pUsr, netstrm_t *pLstn)
+ 
+ 
+ /* Initialize TCP listener socket for a single port
+ * Note: at this point, TLS vs. non-TLS does not matter; TLS params are
+ * set on connect!
+  * rgerhards, 2009-05-21
+  */
+ static rsRetVal
+ initTCPListener(tcpsrv_t *pThis, tcpLstnPortList_t *pPortEntry)
+ {
+ 	DEFiRet;
+-	uchar *TCPLstnPort;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 	assert(pPortEntry != NULL);
+ 
+-	TCPLstnPort = pPortEntry->pszPort;
+-
+ 	// pPortEntry->pszAddr = NULL ==> bind to all interfaces
+-	CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn, TCPLstnPort,
+-		pPortEntry->pszAddr, pThis->iSessMax, (uchar*)pPortEntry->pszLstnPortFileName));
+	CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn,
+		pThis->iSessMax, pPortEntry->cnf_params));
+ 
+ finalize_it:
+ 	RETiRet;
+@@ -408,11 +394,12 @@ create_tcp_socket(tcpsrv_t *pThis)
+ 	/* init all configured ports */
+ 	pEntry = pThis->pLstnPorts;
+ 	while(pEntry != NULL) {
+dbgprintf("RGER: configuring listener %p\n", pEntry);
+ 		localRet = initTCPListener(pThis, pEntry);
+ 		if(localRet != RS_RET_OK) {
+ 			LogError(0, localRet, "Could not create tcp listener, ignoring port "
+-			"%s bind-address %s.", pEntry->pszPort,
+-			(pEntry->pszAddr == NULL) ? "(null)" : (const char*)pEntry->pszAddr);
+			"%s bind-address %s.", pEntry->cnf_params->pszPort,
+			(pEntry->cnf_params->pszAddr == NULL) ? "(null)" : (const char*)pEntry->cnf_params->pszAddr);
+ 		}
+ 		pEntry = pEntry->pNext;
+ 	}
+@@ -1236,15 +1223,6 @@ SetGnutlsPriorityString(tcpsrv_t *pThis, uchar *iVal)
+ 	RETiRet;
+ }
+ 
+-static rsRetVal
+-SetLstnPortFileName(tcpsrv_t *pThis, uchar *iVal)
+-{
+-	DEFiRet;
+-	DBGPRINTF("tcpsrv: LstnPortFileName set to %s\n",
+-		(iVal == NULL) ? "(null)" : (const char*) iVal);
+-	pThis->pszLstnPortFileName = iVal;
+-	RETiRet;
+-}
+ 
+ static rsRetVal
+ SetOnMsgReceive(tcpsrv_t *pThis, rsRetVal (*OnMsgReceive)(tcps_sess_t*, uchar*, int))
+@@ -1309,6 +1287,7 @@ SetDfltTZ(tcpsrv_t *const pThis, uchar *const tz)
+ {
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+dbgprintf("dfltTZ prev: %s\n", pThis->dfltTZ);
+ 	strncpy((char*)pThis->dfltTZ, (char*)tz, sizeof(pThis->dfltTZ));
+ 	pThis->dfltTZ[sizeof(pThis->dfltTZ)-1] = '\0';
+ 	RETiRet;
+@@ -1557,7 +1536,6 @@ CODESTARTobjQueryInterface(tcpsrv)
+ 	pIf->SetKeepAliveProbes = SetKeepAliveProbes;
+ 	pIf->SetKeepAliveTime = SetKeepAliveTime;
+ 	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;
+-	pIf->SetLstnPortFileName = SetLstnPortFileName;
+ 	pIf->SetUsrP = SetUsrP;
+ 	pIf->SetInputName = SetInputName;
+ 	pIf->SetOrigin = SetOrigin;
+diff --git a/runtime/tcpsrv.h b/runtime/tcpsrv.h
+index db5a1d110a..bae7e3b8b9 100644
+--- a/runtime/tcpsrv.h
+++ b/runtime/tcpsrv.h
+@@ -1,6 +1,6 @@
+ /* Definitions for tcpsrv class.
+  *
+- * Copyright 2008-2015 Adiscon GmbH.
+ * Copyright 2008-2020 Adiscon GmbH.
+  *
+  * This file is part of rsyslog.
+  *
+@@ -23,6 +23,7 @@
+ 
+ #include "obj.h"
+ #include "prop.h"
+#include "net.h"
+ #include "tcps_sess.h"
+ #include "statsobj.h"
+ 
+@@ -34,19 +35,24 @@ typedef enum ETCPsyslogFramingAnomaly {
+ } eTCPsyslogFramingAnomaly;
+ 
+ 
+/* config parameters for TCP listeners */
+struct tcpLstnParams_s {
+	const uchar *pszPort;			/**< the ports the listener shall listen on */
+	const uchar *pszAddr;                 /**< the addrs the listener shall listen on */
+	sbool bSuppOctetFram;	/**< do we support octect-counted framing? (if no->legay only!)*/
+	sbool bSPFramingFix;	/**< support work-around for broken Cisco ASA framing? */
+	const uchar *pszLstnPortFileName;	/**< File in which the dynamic port is written */
+	prop_t *pInputName;
+	ruleset_t *pRuleset;		/**< associated ruleset */
+	uchar dfltTZ[8];		/**< default TZ if none in timestamp; '\0' =No Default */
+};
+
+ /* list of tcp listen ports */
+ struct tcpLstnPortList_s {
+-	uchar *pszPort;			/**< the ports the listener shall listen on */
+-	uchar *pszAddr;                 /**< the addrs the listener shall listen on */
+-	prop_t *pInputName;
+	tcpLstnParams_t *cnf_params;	/**< listener config parameters */
+ 	tcpsrv_t *pSrv;			/**< pointer to higher-level server instance */
+-	ruleset_t *pRuleset;		/**< associated ruleset */
+ 	statsobj_t *stats;		/**< associated stats object */
+-	sbool bSuppOctetFram;	/**< do we support octect-counted framing? (if no->legay only!)*/
+ 	ratelimit_t *ratelimiter;
+-	uchar dfltTZ[8];		/**< default TZ if none in timestamp; '\0' =No Default */
+-	sbool bSPFramingFix;	/**< support work-around for broken Cisco ASA framing? */
+-	const uchar *pszLstnPortFileName;	/**< File in which the dynamic port is written */
+ 	STATSCOUNTER_DEF(ctrSubmit, mutCtrSubmit)
+ 	tcpLstnPortList_t *pNext;	/**< next port or NULL */
+ };
+@@ -130,8 +136,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*Construct)(tcpsrv_t **ppThis);
+ 	rsRetVal (*ConstructFinalize)(tcpsrv_t __attribute__((unused)) *pThis);
+ 	rsRetVal (*Destruct)(tcpsrv_t **ppThis);
+-	rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*,
+-		const uchar *pszPort, int bSuppOctetFram, const uchar *pszAddr, const uchar *);
+	rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*, tcpLstnParams_t *const cnf_params);
+ 	rsRetVal (*create_tcp_socket)(tcpsrv_t *pThis);
+ 	rsRetVal (*Run)(tcpsrv_t *pThis);
+ 	/* set methods */
+@@ -188,8 +193,6 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetGnutlsPriorityString)(tcpsrv_t*, uchar*);
+ 	/* added v21 -- Preserve case in fromhost, 2018-08-16 */
+ 	rsRetVal (*SetPreserveCase)(tcpsrv_t *pThis, int bPreserveCase);
+-	/* added v22 -- File for dynamic Port, 2018-08-29 */
+-	rsRetVal (*SetLstnPortFileName)(tcpsrv_t*, uchar*);
+ 	/* added v23 -- Options for stricter driver behavior, 2019-08-16 */
+ 	rsRetVal (*SetDrvrCheckExtendedKeyUsage)(tcpsrv_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetDrvrPrioritizeSAN)(tcpsrv_t *pThis, int prioritizeSan);
+diff --git a/runtime/typedefs.h b/runtime/typedefs.h
+index 06f5c25a8c..000b4da4fe 100644
+--- a/runtime/typedefs.h
+++ b/runtime/typedefs.h
+@@ -123,6 +123,7 @@ typedef int rs_size_t; /* we do never need more than 2Gig strings, signed permit
+ typedef rsRetVal (*prsf_t)(struct vmstk_s*, int);	/* pointer to a RainerScript function */
+ typedef uint64 qDeqID;	/* queue Dequeue order ID. 32 bits is considered dangerously few */
+ 
+typedef struct tcpLstnParams_s tcpLstnParams_t;
+ typedef struct tcpLstnPortList_s tcpLstnPortList_t; // TODO: rename?
+ typedef struct strmLstnPortList_s strmLstnPortList_t; // TODO: rename?
+ typedef struct actWrkrIParams actWrkrIParams_t;
--- a/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch
+++ b/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch
@ -0,0 +1,124 @@
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index e55b014b2c..431ea738b8 100644
+--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
+@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
+ 
+ 	/* Loop through ERR_get_error */
+ 	while ((un_error = ERR_get_error()) > 0){
+-		LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+		LogMsg(0, RS_RET_NO_ERRCODE, severity,
+			"nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+ 	}
+ }
+ 
+@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
+ 		if(pThis->bReportAuthErr == 1) {
+ 			errno = 0;
+ 			LogError(0, RS_RET_INVALID_FINGERPRINT,
+-			"nsd_ossl:error:"
+-			" peer fingerprint '%s' unknown - we are "
+-			"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+				"nsd_ossl:error: peer fingerprint '%s' unknown - we are "
+				"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			pThis->bReportAuthErr = 0;
+ 		}
+ 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
+@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
+ 			cstrFinalize(pStr);
+ 			errno = 0;
+ 			LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized -  "
+-					"not permitted to talk to it. Names: %s",
+-					cstrGetSzStrNoNULL(pStr));
+				"not permitted to talk to it. Names: %s",
+				cstrGetSzStrNoNULL(pStr));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			pThis->bReportAuthErr = 0;
+ 		}
+ 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
+@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
+ 		if(pThis->bReportAuthErr == 1) {
+ 			errno = 0;
+ 			LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
+-					"not permitted to talk to it");
+				"not permitted to talk to it");
+ 			pThis->bReportAuthErr = 0;
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 		}
+ 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
+ 	}
+@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
+ 		if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
+ 			if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
+ 				LogError(0, RS_RET_CERT_EXPIRED,
+-					"nsd_ossl:CertValidity check"
+-"- not permitted to talk to peer: certificate expired: %s",
+					"nsd_ossl:CertValidity check - not permitted to talk to peer: "
+					"certificate expired: %s",
+ 					X509_verify_cert_error_string(iVerErr));
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 				ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
+ 			} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
+ 				LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
+-					"nsd_ossl:CertValidity check"
+-"- warning talking to peer: certificate expired: %s",
+					"nsd_ossl:CertValidity check - warning talking to peer: "
+					"certificate expired: %s",
+ 					X509_verify_cert_error_string(iVerErr));
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			} else {
+ 				dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
+ 					X509_verify_cert_error_string(iVerErr));
+@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
+ 		} else {
+ 			LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
+ 				"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			ABORT_FINALIZE(RS_RET_CERT_INVALID);
+ 		}
+ 	} else {
+@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
+ 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
+ 		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-"No shared curve between syslog client and server.");
+		"No shared curve between syslog client and server.");
+ 	}
+ 	#endif
+ 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
+@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
+ 				resErr == SSL_ERROR_WANT_WRITE) {
+ 				pNsd->rtryCall = osslRtry_handshake;
+ 				pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
+-				LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-"TLS handshake failed between syslog client and server.");
+ 				dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
+ 					"immediately - setting to retry (this is OK and normal)\n");
+ 				FINALIZE;
+@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
+ 				ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
+ 			} else {
+ 				osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 				ABORT_FINALIZE(RS_RET_NO_ERRCODE);
+ 			}
+ 		}
+@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
+ 	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+ 	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
+ 
+-	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
+-"TLS Connection initiated with remote syslog server.");
+	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+		"TLS Connection initiated with remote syslog server.");
+ 	/*if we reach this point we are in tls mode */
+ 	DBGPRINTF("Connect: TLS Mode\n");
+ 	if(!(pThis->ssl = SSL_new(ctx))) {
--- a/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
+++ b/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
@ -0,0 +1,25 @@
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 79347916e4..69ec57af09 100644
+--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
+@@ -1821,11 +1821,8 @@ BIO_set_nbio( conn, 1 );
+ }
+ 
+ 
+-/* Empty wrapper for GNUTLS helper function
+- * TODO: implement a similar capability
+- */
+ static rsRetVal
+-SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unused)) uchar *gnutlsPriorityString)
+SetGnutlsPriorityString(nsd_t *const pNsd, uchar *const gnutlsPriorityString)
+ {
+ 	DEFiRet;
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+@@ -1905,6 +1902,7 @@ SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unus
+ 						pThis->gnutlsPriorityString);
+ 				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ 			}
+			SSL_CONF_CTX_free(cctx);
+ 		}
+ #else
+ 		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
--- a/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
@ -1,6 +1,6 @@
-diff -up ./rsyslog-8.2102.0/runtime/nsd_gtls.c.ori ./rsyslog-8.2102.0/runtime/nsd_gtls.c
--- rsyslog-8.2102.0/runtime/nsd_gtls.c.ori	2022-01-17 15:50:08.285827256 +0100
-+++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-01-17 15:52:33.282594512 +0100
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2021-11-22 09:33:25.501668376 +0100
+++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2021-11-22 09:34:18.423642573 +0100
@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
 	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
--- a/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
@ -0,0 +1,14 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-28 09:05:23.283262154 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-28 09:10:05.858381106 +0200
+@@ -424,8 +424,8 @@ readjournal(void)
+ 				severity = cs.iDfltSeverity;
+ 			}
+ 		} else {
+-			LogError(0, RS_RET_ERR, "The value of the 'PRIORITY' field has an "
+-				"unexpected length: %zu\n", length);
+			DBGPRINTF("The value of the 'PRIORITY' field has an "
+				"unexpected length: %zu value: '%s'\n", length, (const char*)get);
+ 		}
+ 	}
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch
@ -1,163 +0,0 @@
-diff -up rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan rsyslog-8.2102.0/contrib/imdocker/imdocker.c
--- rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/contrib/imdocker/imdocker.c	2021-07-22 14:10:31.877231143 +0200
-@@ -1527,6 +1527,7 @@ process_json(sbool isInit, const char* j
- 									pInstances->last_container_id,
- 									(unsigned)pInstances->last_container_created);
- 						}
-+						// coverity[leaked_storage : FALSE]
- 						CHKiRet(dockerContLogsInstSetUrlById(isInit, pInst,
- 									pInstances->curlm, containerId));
- 						CHKiRet(dockerContLogReqsAdd(pInstances, pInst));
-diff -up rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c
--- rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan	2020-10-03 19:06:47.000000000 +0200
-+++ rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c	2021-07-22 14:10:31.877231143 +0200
-@@ -324,7 +324,6 @@ BEGINnewActInst
- 	struct cnfparamvals *pvals;
- 	int i;
- 	int iNumTpls;
-	uchar *keydup = NULL;
- CODESTARTnewActInst
- 	if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL)
- 		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
-@@ -417,14 +416,11 @@ CODESTARTnewActInst
- 	CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)pData->tplName, OMSR_NO_RQD_TPL_OPTS));
- 
- 	if (pData->dynaKey) {
-		CHKmalloc(keydup = ustrdup(pData->key));
- 		CHKiRet(OMSRsetEntry(*ppOMSR, 1, ustrdup(pData->key), OMSR_NO_RQD_TPL_OPTS));
-		keydup = NULL; /* handed over */
- 	}
- 
- CODE_STD_FINALIZERnewActInst
- 	cnfparamvalsDestruct(pvals, &actpblk);
-	free(keydup);
- ENDnewActInst
- 
- 
-diff -up rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c
--- rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c	2021-07-22 14:10:31.877231143 +0200
-@@ -778,6 +778,7 @@ static rsRetVal publishRabbitMQ(wrkrInst
- 		ABORT_FINALIZE(RS_RET_RABBITMQ_CONN_ERR);
- 	}
- 
-+	// coverity[identical_branches : FALSE]
- 	if (manage_error(amqp_basic_publish(self->a_conn, 1, exchange, routing_key,
- 			0, 0, p_amqp_props, body_bytes), "amqp_basic_publish")) {
- 		/* error already notified */
-diff -up rsyslog-8.2102.0/grammar/rainerscript.c.covscan rsyslog-8.2102.0/grammar/rainerscript.c
--- rsyslog-8.2102.0/grammar/rainerscript.c.covscan	2021-02-15 12:06:16.000000000 +0100
-+++ rsyslog-8.2102.0/grammar/rainerscript.c	2021-07-22 14:10:31.878231140 +0200
-@@ -2814,7 +2814,7 @@ evalVar(struct cnfvar *__restrict__ cons
- 		if(bMustBeFreed)
- 			free(pszProp);
- 	}
-
-+	// coverity[leaked_storage : FALSE]
- }
- 
- /* perform a string comparision operation against a while array. Semantic is
-diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan rsyslog-8.2102.0/plugins/imfile/imfile.c
--- rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2021-07-22 14:10:31.878231140 +0200
-@@ -1278,6 +1278,7 @@ static void ATTR_NONNULL(1)
- getFileID(act_obj_t *const act)
- {
- 	char tmp_id[FILE_ID_HASH_SIZE];
-+	// coverity[buffer_size_warning : FALSE]
- 	strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
- 	act->file_id[0] = '\0';
- 	assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
-@@ -1290,6 +1291,7 @@ getFileID(act_obj_t *const act)
- 		DBGPRINTF("getFileID partial or error read, ret %d\n", r);
- 	}
- 	if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
-+		// coverity[buffer_size_warning : FALSE]
- 		strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
- 	}
- 	DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
-@@ -1544,6 +1546,7 @@ openFileWithoutStateFile(act_obj_t *cons
- 		const int fd = open(act->name, O_RDONLY | O_CLOEXEC);
- 		if(fd >= 0) {
- 			act->pStrm->iCurrOffs = lseek64(fd, 0, SEEK_END);
-+			close(fd);
- 			if(act->pStrm->iCurrOffs < 0) {
- 				act->pStrm->iCurrOffs = 0;
- 				LogError(errno, RS_RET_ERR, "imfile: could not query current "
-diff -up rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan rsyslog-8.2102.0/plugins/imptcp/imptcp.c
--- rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/plugins/imptcp/imptcp.c	2021-07-22 14:10:31.878231140 +0200
-@@ -1920,6 +1920,7 @@ lstnActivity(ptcplstn_t *const pLstn)
- 	}
- 
- finalize_it:
-+	// coverity[leaked_handle : FALSE]
- 	RETiRet;
- }
- 
-diff -up rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c
--- rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan	2020-10-03 19:06:47.000000000 +0200
-+++ rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c	2021-07-22 14:10:31.879231138 +0200
-@@ -394,7 +394,7 @@ CODEmodInit_QueryRegCFSLineHdlr
- 		ABORT_FINALIZE(RS_RET_NO_MSG_PASSING);
- 	}
- 
-	
-+	// coverity[identical_branches : FALSE]
- 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
- 				    resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
- ENDmodInit
-diff -up rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c
--- rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan	2020-10-03 19:06:47.000000000 +0200
-+++ rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c	2021-07-22 14:10:31.879231138 +0200
-@@ -368,6 +368,7 @@ writeDataError(wrkrInstanceData_t *const
- 	}
- 
- finalize_it:
-+	// coverity[leaked_storage : FALSE]
- 	RETiRet;
- }
- 
-diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan rsyslog-8.2102.0/runtime/nsd_gtls.c
--- rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2021-07-22 14:17:06.183174167 +0200
-@@ -227,7 +227,7 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
- 	pThis->bOurKeyIsInit = 1;
- 	CHKgnutls(gnutls_x509_privkey_import(pThis->ourKey, &data, GNUTLS_X509_FMT_PEM));
- 	free(data.data);
-
-+	data.data = NULL;
- 
- finalize_it:
- 	if(iRet == RS_RET_CERTLESS) {
-diff -up rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan rsyslog-8.2102.0/runtime/nsd_ptcp.c
--- rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan	2021-02-15 08:20:04.000000000 +0100
-+++ rsyslog-8.2102.0/runtime/nsd_ptcp.c	2021-07-22 14:10:31.879231138 +0200
-@@ -191,6 +191,7 @@ SetTlsVerifyDepth(nsd_t __attribute__((u
- 	nsd_ptcp_t *pThis = (nsd_ptcp_t*) pNsd;
- 	DEFiRet;
- 	ISOBJ_TYPE_assert((pThis), nsd_ptcp);
-+	// coverity[identical_branches : FALSE]
- 	if (verifyDepth == 0) {
- 		FINALIZE;
- 	}
-diff -up rsyslog-8.2102.0/tools/rsyslogd.c.covscan rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.covscan	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/tools/rsyslogd.c	2021-07-22 14:10:31.879231138 +0200
-@@ -293,6 +293,7 @@ writePidFile(void)
- 		free((void*)tmpPidFile);
- 	}
- finalize_it:
-+	// coverity[leaked_storage : FALSE]
- 	RETiRet;
- }
- 
-@@ -1026,6 +1027,7 @@ splitOversizeMessage(smsg_t *const pMsg)
- 	/* if necessary, write partial last segment */
- 	if(len_last_segment != 0) {
- 		CHKmalloc(pMsg_seg = MsgDup(pMsg));
-+		// coverity[copy_paste_error : FALSE]
- 		MsgSetRawMsg(pMsg_seg, rawmsg + (nsegments * maxlen), len_last_segment);
- 		submitMsg2(pMsg_seg);
- 	}
--- a/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
@ -1,5 +1,5 @@
--- rsyslog-8.2102.0-ori/action.c	2021-02-15 12:06:16.000000000 +0100
-+++ rsyslog-8.2102.0-changes/action.c	2022-03-10 11:00:11.027242300 +0100
+--- rsyslog-8.2102.0/action.c	2021-02-15 12:06:16.000000000 +0100
+++ rsyslog-8.2102.0-changes/action.c	2022-03-08 15:55:33.989525382 +0100
@@ -198,6 +198,7 @@
 	{ "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */
 	{ "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */
@ -13,26 +13,24 @@
 	pThis->pszName = NULL;
 	pThis->pszErrFile = NULL;
 +	pThis->maxErrFileSize = 0;
-+	pThis->errFileWritten = 0;
+	pThis->errFileWritten = 0;	
 	pThis->pszExternalStateFile = NULL;
 	pThis->fdErrFile = -1;
 	pThis->bWriteAllMarkMsgs = 1;
-@@ -1436,6 +1439,14 @@
+@@ -1436,6 +1439,12 @@
 				pThis->pszName, pThis->pszErrFile);
 			goto done;
 		}
-+		if (pThis->maxErrFileSize > 0) {
-+			struct stat statbuf;
-+			if (fstat(pThis->fdErrFile, &statbuf) == -1) {
-+				LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
-+				goto done;
-+			}
-+			pThis->errFileWritten += statbuf.st_size;
+		struct stat statbuf;
+		if (fstat(pThis->fdErrFile, &statbuf) == -1) {
+			LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
+			goto done;
 +		}
+		pThis->errFileWritten += statbuf.st_size;
 	}
 
 	for(int i = 0 ; i < nparams ; ++i) {
-@@ -1454,16 +1465,26 @@
+@@ -1454,16 +1463,26 @@
 		char *const rendered = strdup((char*)fjson_object_to_json_string(etry));
 		if(rendered == NULL)
 			goto done;
@ -69,7 +67,7 @@
 		}
 		free(rendered);
 
-@@ -2048,6 +2069,8 @@
+@@ -2048,6 +2067,8 @@
 			continue; /* this is handled seperately during module select! */
 		} else if(!strcmp(pblk.descr[i].name, "action.errorfile")) {
 			pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL);
--- a/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
@ -0,0 +1,354 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
+--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig	2022-04-15 13:42:05.320615894 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-04-15 14:33:43.472482696 +0200
+@@ -609,10 +609,10 @@ finalize_it:
+ }
+ 
+ static rsRetVal
+-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
+osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
+ {
+ 	DEFiRet;
+-	BIO *client;
+	BIO *conn;
+ 	char pristringBuf[4096];
+ 	nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
+ 
+@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
+ 		if (pThis->DrvrVerifyDepth != 0) {
+ 			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
+ 		}
+-	}
+-
+-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
+-		/* Allow ANON Ciphers */
+	} else 	if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
+		/* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
+ 		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+ 		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
+ 		}
+ 	}
+ 
+-	/* Create BIO from ptcp socket! */
+-	client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+-	dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
+ 
+-	/* Set debug Callback for client BIO as well! */
+-	BIO_set_callback(client, BIO_debug_callback);
+	/* Create BIO from ptcp socket! */
+	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+	dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
+ 
+-/* TODO: still needed? Set to NON blocking ! */
+-BIO_set_nbio( client, 1 );
+	/* Set debug Callback for conn BIO as well! */
+	BIO_set_callback(conn, BIO_debug_callback);
+ 
+-	SSL_set_bio(pThis->ssl, client, client);
+-	SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+	/* TODO: still needed? Set to NON blocking ! */
+	BIO_set_nbio( conn, 1 );
+	SSL_set_bio(pThis->ssl, conn, conn);
+ 
+	if (osslType == osslServer) {
+		/* Server Socket */
+		SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+		pThis->sslState = osslServer; /*set Server state */
+	} else {
+		/* Client Socket */
+		SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+		pThis->sslState = osslClient; /*set Client state */
+	}
+ 	pThis->bHaveSess = 1;
+-	pThis->sslState = osslServer; /*set Server state */
+ 
+ 	/* we are done */
+ 	FINALIZE;
+@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
+ 		ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
+ 	}
+ 
+-		/* Init Anon OpenSSL stuff */
+-		CHKiRet(osslAnonInit());
+	/* Init Anon OpenSSL stuff */
+	CHKiRet(osslAnonInit());
+ 
+ 	dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
+ 
+@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
+ 
+ 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
+-		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-		"No shared curve between syslog client and server.");
+		// This is not a failure
+		LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+		"Information, no shared curve between syslog client and server");
+ 	}
+ 	#endif
+ 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
+@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+-	CHKiRet(osslInitSession(pNew));
+	CHKiRet(osslInitSession(pNew, osslServer));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */
+ 	SSL_set_ex_data(pNew->ssl, 0, pThis);
+@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+-	nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
+-	BIO *conn;
+-	char pristringBuf[4096];
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
+ 	assert(port != NULL);
+@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
+ 		FINALIZE;
+ 	}
+ 
+-	/* Create BIO from ptcp socket! */
+-	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+-	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
+-
+ 	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+ 		"TLS Connection initiated with remote syslog server.");
+ 	/*if we reach this point we are in tls mode */
+ 	DBGPRINTF("Connect: TLS Mode\n");
+-	if(!(pThis->ssl = SSL_new(ctx))) {
+-		pThis->ssl = NULL;
+-		osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
+-		ABORT_FINALIZE(RS_RET_NO_ERRCODE);
+-	}
+ 
+-	// Set SSL_MODE_AUTO_RETRY to SSL obj
+-	SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
+-
+-	if (pThis->authMode != OSSL_AUTH_CERTANON) {
+-		dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
+-			pThis->authMode, pThis->DrvrVerifyDepth);
+-		/* Enable certificate valid checking */
+-		SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
+-		if (pThis->DrvrVerifyDepth != 0) {
+-			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
+-		}
+-	}
+-
+-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
+-		/* Allow ANON Ciphers */
+-		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+-		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+-			sizeof(pristringBuf));
+-		#else
+-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
+-			sizeof(pristringBuf));
+-		#endif
+-
+-		dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
+-		if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
+-			dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
+-			ABORT_FINALIZE(RS_RET_SYS_ERR);
+-		}
+-	}
+-
+-	/* Set debug Callback for client BIO as well! */
+-	BIO_set_callback(conn, BIO_debug_callback);
+-
+-/* TODO: still needed? Set to NON blocking ! */
+-BIO_set_nbio( conn, 1 );
+-
+-	SSL_set_bio(pThis->ssl, conn, conn);
+-	SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+-	pThis->sslState = osslClient; /*set Client state */
+-	pThis->bHaveSess = 1;
+	/* Do SSL Session init */
+	CHKiRet(osslInitSession(pThis, osslClient));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */
+ 	SSL_set_ex_data(pThis->ssl, 0, pThis);
+@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+ 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
+ 
+-	pThis->gnutlsPriorityString = gnutlsPriorityString;
+	dbgprintf("gnutlsPriorityString: set to '%s'\n",
+		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
+ 
+ 	/* Skip function if function is NULL gnutlsPriorityString */
+-	if (gnutlsPriorityString == NULL) {
+-		RETiRet;
+-	} else {
+-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+ #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+-		char *pCurrentPos;
+-		char *pNextPos;
+-		char *pszCmd;
+-		char *pszValue;
+-		int iConfErr;
+-
+-		/* Set working pointer */
+-		pCurrentPos = (char*) pThis->gnutlsPriorityString;
+-		if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+-			// Create CTX Config Helper
+-			SSL_CONF_CTX *cctx;
+-			cctx = SSL_CONF_CTX_new();
+-			if (pThis->sslState == osslServer) {
+-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+-			} else {
+-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+-			}
+-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+-			SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+-
+-			do
+-			{
+-				pNextPos = index(pCurrentPos, '=');
+-				if (pNextPos != NULL) {
+-					while (	*pCurrentPos != '\0' &&
+-						(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+-						pCurrentPos++;
+-					pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+-					pCurrentPos = pNextPos+1;
+-					pNextPos = index(pCurrentPos, '\n');
+-					pszValue = (pNextPos == NULL ?
+-							strdup(pCurrentPos) :
+-							strndup(pCurrentPos, pNextPos - pCurrentPos));
+-					pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+-
+-					/* Add SSL Conf Command */
+-					iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+-					if (iConfErr > 0) {
+-						dbgprintf("gnutlsPriorityString: Successfully added Command "
+-							"'%s':'%s'\n",
+-							pszCmd, pszValue);
+-					}
+-					else {
+-						LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+-							"in gnutlsPriorityString with error '%d'",
+-							pszCmd, pszValue, iConfErr);
+-					}
+	sbool ApplySettings = 0;
+	if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
+		(gnutlsPriorityString != NULL &&
+		strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
+		) {
+		ApplySettings = 1;
+	}
+
+	pThis->gnutlsPriorityString = gnutlsPriorityString;
+	dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
+		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
+		(ApplySettings == 1? "TRUE" : "FALSE"));
+ 
+-					free(pszCmd);
+-					free(pszValue);
+	if (ApplySettings) {
+
+		if (gnutlsPriorityString == NULL || ctx == NULL) {
+			RETiRet;
+		} else {
+			dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+			char *pCurrentPos;
+			char *pNextPos;
+			char *pszCmd;
+			char *pszValue;
+			int iConfErr;
+
+			/* Set working pointer */
+			pCurrentPos = (char*) pThis->gnutlsPriorityString;
+			if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+				// Create CTX Config Helper
+				SSL_CONF_CTX *cctx;
+				cctx = SSL_CONF_CTX_new();
+				if (pThis->sslState == osslServer) {
+					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+ 				} else {
+-					/* Abort further parsing */
+-					pCurrentPos = NULL;
+					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+ 				}
+-			}
+-			while (pCurrentPos != NULL);
+				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+				SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+
+				do
+				{
+					pNextPos = index(pCurrentPos, '=');
+					if (pNextPos != NULL) {
+						while (	*pCurrentPos != '\0' &&
+							(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+							pCurrentPos++;
+						pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+						pCurrentPos = pNextPos+1;
+						pNextPos = index(pCurrentPos, '\n');
+						pszValue = (pNextPos == NULL ?
+								strdup(pCurrentPos) :
+								strndup(pCurrentPos, pNextPos - pCurrentPos));
+						pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+
+						/* Add SSL Conf Command */
+						iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+						if (iConfErr > 0) {
+							dbgprintf("gnutlsPriorityString: Successfully added Command "
+								"'%s':'%s'\n",
+								pszCmd, pszValue);
+						}
+						else {
+							LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+								"in gnutlsPriorityString with error '%d'",
+								pszCmd, pszValue, iConfErr);
+						}
+
+						free(pszCmd);
+						free(pszValue);
+					} else {
+						/* Abort further parsing */
+						pCurrentPos = NULL;
+					}
+				}
+				while (pCurrentPos != NULL);
+ 
+-			/* Finalize SSL Conf */
+-			iConfErr = SSL_CONF_CTX_finish(cctx);
+-			if (!iConfErr) {
+-				LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+-						"Open ssl error info may follow in next messages",
+-						pThis->gnutlsPriorityString);
+-				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+				/* Finalize SSL Conf */
+				iConfErr = SSL_CONF_CTX_finish(cctx);
+				if (!iConfErr) {
+					LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+							"Open ssl error info may follow in next messages",
+							pThis->gnutlsPriorityString);
+					osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+				}
+				SSL_CONF_CTX_free(cctx);
+ 			}
+-			SSL_CONF_CTX_free(cctx);
+ 		}
+	}
+ #else
+-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+-		LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+-			"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+-			"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+-			gnutlsPriorityString);
+	LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+		"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+		"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+		gnutlsPriorityString);
+ #endif
+-	}
+ 
+ 	RETiRet;
+ }
--- a/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch
@ -1,51 +0,0 @@
--- a/source/configuration/actions.rst	2020-01-13 09:35:54.000000000 +0100
-+++ b/source/configuration/actions.rst	2022-03-09 10:46:23.945881936 +0100
-@@ -90,6 +90,12 @@
-    provided to the action in question, the action name as well as
-    the rsyslog status code roughly explaining why it failed.
- 
-+-  **action.errorfile.maxsize** integer
-+
-+   In some cases, error file needs to be limited in size.
-+   This option allows specifying a maximum size, in bytes, for the error file.
-+   When error file reaches that size, no more errors are written to it.
-+
- -  **action.execOnlyOnceEveryInterval** integer
- 
-    Execute action only if the last execute is at last seconds in the
--- a/build/_sources/configuration/actions.rst.txt	2020-01-13 09:35:54.000000000 +0100
-+++ b/build/_sources/configuration/actions.rst.txt	2022-03-09 11:17:44.391213038 +0100
-@@ -90,6 +90,12 @@
-    provided to the action in question, the action name as well as
-    the rsyslog status code roughly explaining why it failed.
- 
-+-  **action.errorfile.maxsize** integer
-+
-+   In some cases, error file needs to be limited in size.
-+   This option allows specifying a maximum size, in bytes, for the error file.
-+   When error file reaches that size, no more errors are written to it.
-+
- -  **action.execOnlyOnceEveryInterval** integer
- 
-    Execute action only if the last execute is at last seconds in the
--- a/build/configuration/actions.html	2021-02-15 12:53:30.000000000 +0100
-+++ b/build/configuration/actions.html	2022-03-09 11:27:04.035799702 +0100
-@@ -122,6 +122,11 @@
- provided to the action in question, the action name as well as
- the rsyslog status code roughly explaining why it failed.</p>
- </li>
-+<li><p class="first"><strong>action.errorfile.maxsize</strong> integer</p>
-+<p>In some cases, error file needs to be limited in size.
-+This option allows specifying a maximum size, in bytes, for the error file.
-+When error file reaches that size, no more errors are written to it.</p>
-+</li>
- <li><p class="first"><strong>action.execOnlyOnceEveryInterval</strong> integer</p>
- <p>Execute action only if the last execute is at last seconds in the
- past (more info in ommail, but may be used with any action)</p>
-@@ -672,4 +677,4 @@
-     <div class="footer" role="contentinfo">
-     </div>
-   </body>
-</html>
-\ No newline at end of file
-+</html>
--- a/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
@ -1,682 +0,0 @@
--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
-+++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-06 11:13:31.538674778 +0200
-@@ -72,6 +72,7 @@
- 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
- 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
- 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
-+	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
- 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
- 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
- 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-06 10:37:26.440149338 +0200
-+++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-06 11:12:06.198378210 +0200
-@@ -122,6 +122,7 @@
- static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
- static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
- static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
-+static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
- int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
- static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
- static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
-@@ -176,6 +177,7 @@
- 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
- 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
- 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
-+	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
- 	{ "maxmessagesize", eCmdHdlrSize, 0 },
- 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
- 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
-@@ -307,6 +309,8 @@
- /* TODO: use custom function which frees existing value */
- SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
- /* TODO: use custom function which frees existing value */
-+SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
-+/* TODO: use custom function which frees existing value */
- 
- #undef SIMP_PROP
- #undef SIMP_PROP_SET
-@@ -830,6 +834,13 @@
- 	return(pszDfltNetstrmDrvr == NULL ? DFLT_NETSTRM_DRVR : pszDfltNetstrmDrvr);
- }
- 
-+/* return the additional ca extra files */
-+static uchar*
-+GetNetstrmDrvrCAExtraFiles(void)
-+{
-+	return(pszNetstrmDrvrCAExtraFiles);
-+}
-+
- 
- /* return the current default netstream driver CA File */
- static uchar*
-@@ -925,6 +936,7 @@
- 	SIMP_PROP(DfltNetstrmDrvrCAF)
- 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
- 	SIMP_PROP(DfltNetstrmDrvrCertFile)
-+	SIMP_PROP(NetstrmDrvrCAExtraFiles)
- #ifdef USE_UNLIMITED_SELECT
- 	SIMP_PROP(FdSetSize)
- #endif
-@@ -945,6 +957,8 @@
- 	pszDfltNetstrmDrvrKeyFile = NULL;
- 	free(pszDfltNetstrmDrvrCertFile);
- 	pszDfltNetstrmDrvrCertFile = NULL;
-+	free(pszNetstrmDrvrCAExtraFiles);
-+	pszNetstrmDrvrCAExtraFiles = NULL;
- 	free(LocalHostNameOverride);
- 	LocalHostNameOverride = NULL;
- 	free(oversizeMsgErrorFile);
-@@ -1350,6 +1364,9 @@
- 			free(pszDfltNetstrmDrvr);
- 			pszDfltNetstrmDrvr = (uchar*)
- 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
-+		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
-+			free(pszNetstrmDrvrCAExtraFiles);
-+			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
- 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
- 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
- 		} else if(!strcmp(paramblk.descr[i].name,
-@@ -1546,6 +1563,8 @@
- 	&pszDfltNetstrmDrvrKeyFile, NULL));
- 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
- 	&pszDfltNetstrmDrvrCertFile, NULL));
-+	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
-+	&pszNetstrmDrvrCAExtraFiles, NULL));
- 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
- 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
- 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
-@@ -1579,6 +1598,7 @@
- 	free(pszDfltNetstrmDrvrCAF);
- 	free(pszDfltNetstrmDrvrKeyFile);
- 	free(pszDfltNetstrmDrvrCertFile);
-+	free(pszNetstrmDrvrCAExtraFiles);
- 	free(pszWorkDir);
- 	free(LocalDomain);
- 	free(LocalHostName);
--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2021-01-18 11:21:14.000000000 +0100
-+++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-06 11:25:18.144130340 +0200
-@@ -88,6 +88,7 @@
- static short bHaveCA;
- static short bHaveCert;
- static short bHaveKey;
-+static short bHaveExtraCAFiles;
- static int bAnonInit;
- static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
- 
-@@ -413,7 +414,8 @@
- {
- 	DEFiRet;
- 	DBGPRINTF("openssl: entering osslGlblInit\n");
-	const char *caFile, *certFile, *keyFile;
-+	const char *caFile, *certFile, *keyFile, *extraCaFile;
-+	char *extraCaFiles;
- 
- 	/* Setup OpenSSL library */
- 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
-@@ -450,9 +452,27 @@
- 	} else {
- 		bHaveKey = 1;
- 	}
-+	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
-+	if(extraCaFiles == NULL) {
-+	        bHaveExtraCAFiles = 0;
-+	} else {
-+	        bHaveExtraCAFiles = 1;
-+	}
- 
- 	/* Create main CTX Object */
- 	ctx = SSL_CTX_new(SSLv23_method());
-+	if(bHaveExtraCAFiles == 1) {
-+		while((extraCaFile = strsep(&extraCaFiles, ","))) {
-+			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
-+				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
-+					"Check at least: 1) file path is correct, 2) file exist, "
-+					"3) permissions are correct, 4) file content is correct. "
-+					"Open ssl error info may follow in next messages");
-+				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
-+				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
-+			}
-+ 		}
-+	}
- 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
- 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
- 				"Check at least: 1) file path is correct, 2) file exist, "
-@@ -476,7 +496,7 @@
- 				"Open ssl error info may follow in next messages");
- 		osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
- 		ABORT_FINALIZE(RS_RET_TLS_KEY_ERR);
-	}
-+	}	
- 
- 	/* Set CTX Options */
- 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);		/* Disable insecure SSLv2 Protocol */
--- rsyslog-8.2102.0.ori/tests/Makefile.am	2022-09-06 10:37:26.447149363 +0200
-+++ rsyslog-8.2102.0/tests/Makefile.am	2022-09-06 12:05:55.443600359 +0200
-@@ -1247,7 +1247,8 @@
- 	sndrcv_tls_ossl_servercert_gtls_clientanon.sh \
- 	sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
- 	sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
-	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh
-+	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
-+	sndrcv_ossl_cert_chain.sh
- endif
- endif
- 
-@@ -2575,6 +2576,7 @@
- 	sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
- 	sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
- 	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
-+	sndrcv_ossl_cert_chain.sh \
- 	omtcl.sh \
- 	omtcl.tcl \
- 	pmsnare-default.sh \
--- rsyslog-8.2102.0.ori/tests/sndrcv_ossl_cert_chain.sh	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/sndrcv_ossl_cert_chain.sh	2022-09-06 10:48:41.512496691 +0200
-@@ -0,0 +1,76 @@
-+#!/bin/bash
-+# alorbach, 2019-01-16
-+# This file is part of the rsyslog project, released  under ASL 2.0
-+. ${srcdir:=.}/diag.sh init
-+export NUMMESSAGES=1000
-+# uncomment for debugging support:
-+#export RSYSLOG_DEBUG="debug nostdout noprintmutexaction"
-+export RSYSLOG_DEBUGLOG="log"
-+generate_conf
-+export PORT_RCVR="$(get_free_port)"
-+### This is important, as it must be exactly the same
-+### as the ones configured in used certificates
-+export HOSTNAME="fedora"
-+add_conf '
-+global(
-+    DefaultNetstreamDriver="ossl"
-+    DefaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-cert.pem'"
-+    DefaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/server-cert.pem'"
-+    DefaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/server-key.pem'"
-+    NetstreamDriverCAExtraFiles="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
-+)
-+
-+module(	load="../plugins/imtcp/.libs/imtcp"
-+	StreamDriver.Name="ossl"
-+	StreamDriver.Mode="1"
-+        PermittedPeer="'$HOSTNAME'"
-+	StreamDriver.AuthMode="x509/name" )
-+# then SENDER sends to this port (not tcpflood!)
-+input(	type="imtcp" port="'$PORT_RCVR'" )
-+
-+$template outfmt,"%msg:F,58:2%\n"
-+$template dynfile,"'$RSYSLOG_OUT_LOG'" # trick to use relative path names!
-+:msg, contains, "msgnum:" ?dynfile;outfmt
-+'
-+startup
-+export RSYSLOG_DEBUGLOG="log2"
-+#valgrind="valgrind"
-+generate_conf 2
-+export TCPFLOOD_PORT="$(get_free_port)"
-+add_conf '
-+global(
-+	defaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
-+	defaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/client-cert.pem'"
-+	defaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/client-key.pem'"
-+)
-+
-+# Note: no TLS for the listener, this is for tcpflood!
-+$ModLoad ../plugins/imtcp/.libs/imtcp
-+input(	type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" )
-+
-+# set up the action
-+action(	type="omfwd"
-+	protocol="tcp"
-+	target="127.0.0.1"
-+	port="'$PORT_RCVR'"
-+	StreamDriver="ossl"
-+	StreamDriverMode="1"
-+	StreamDriverAuthMode="x509/name"
-+        StreamDriverPermittedPeers="'$HOSTNAME'"
-+	)
-+' 2
-+startup 2
-+
-+# now inject the messages into instance 2. It will connect to instance 1,
-+# and that instance will record the data.
-+tcpflood -m$NUMMESSAGES -i1
-+wait_file_lines
-+# shut down sender when everything is sent, receiver continues to run concurrently
-+shutdown_when_empty 2
-+wait_shutdown 2
-+# now it is time to stop the receiver as well
-+shutdown_when_empty
-+wait_shutdown
-+
-+seq_check 1 $NUMMESSAGES
-+exit_test
-diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem	2022-09-06 10:48:41.513496694 +0200
-@@ -0,0 +1,29 @@
-+-----BEGIN CERTIFICATE-----
-+MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
-+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
-+dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
-+Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
-+DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
-+MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
-+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
-+M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
-+MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
-+sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
-+2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
-+nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
-+gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
-++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
-+LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
-+BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
-+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
-+HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
-+dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
-+FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
-+uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
-+ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
-+wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
-+OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
-+9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
-+DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
-+jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
-+-----END CERTIFICATE-----
-diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem	2022-09-06 10:48:41.513496694 +0200
-@@ -0,0 +1,29 @@
-+-----BEGIN CERTIFICATE-----
-+MIIE6jCCA1KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
-+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
-+dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
-+Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMG0xCzAJBgNVBAYTAkNaMRAw
-+DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
-+MQwwCgYDVQQLEwNHU1MxHTAbBgNVBAMTFHJzeXNsb2crY2hhaW4rY2Fyb290MIIB
-+ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuqAAv1OIGwQqCi1Mflrq8Buo
-+G3UtiD8cMEovjzndFV4Ww5fm+R2vCv+tHq6a85mLL0wdqXh+/bAyDzxaULheXZel
-+rGPuUFEH2BpOwKXBd31Vx1x32aN9iaoaND/JVQSp+9PeP9zyKeZIN2vFSyNK7LCA
-+hdDXVoYeTktXMbm0vB2vMKk+5Vzc7WfyMfrdDvciuULzLU1RzRS2/RkHNlve5iVQ
-+XbNN6CpVtXb0K/kcp4SQIVbNTD/g6Z3JnewSWwqjM9/axTC17rpqhsxaWk712Zjo
-+lYeuWKfaF9eRXU951u/vrXMMRkDZe0cq5OiTbc1uUQag7uXkbUtEk5HDSihUWwxz
-+MegUdUBXFN6EJ7OauWFOeyVJbbvPRa3q9fdlLILvv5/9SiMim6avcj6DlyUz2RhC
-+YPh/gJHItuIbZ6hEU+aKqiDYMTHyibRoqOMZgsc8Vo1JAHQTI6gA8JQtGtjEbzIR
-+GFkQkj4tvAQQgl5fs9nuweH9GoIaBl1IoIVZyR9PAgMBAAGjgZQwgZEwDwYDVR0T
-+AQH/BAUwAwEB/zAkBgNVHREEHTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3Jh
-+MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUr/RYFo8A1eqBi3sGMwqNvwHVk5sw
-+KQYDVR0fBCIwIDAeoBygGoYYaHR0cDovLzEyNy4wLjAuMS9nZXRjcmwvMA0GCSqG
-+SIb3DQEBCwUAA4IBgQBn/NZeqYon25QY1RmjYkCQ0B+uXsquGURETP30hQ+ltbbG
-+u4jP+ll+oYkGVt1+eBi8Qw+rf8Qk3Q/+jmCoGS9vVjQc97r3YJxnFb3zB4HDCWdZ
-+qXK7GeBlFA4XAtJO0ya8HCx4znuXKiNwqrJJHyyW2gvkY9raRkKOzj3/9jQXgAw4
-+1d8NR9SxjKA2PnCSWNdVQOAm4us2tJXJexvbRx+b9Yu8LgUX/AdT4zqkIV8n6oFV
-+XNaGyOsDN/+4JEsKbBixL+g3Y6yQHrwKMYq/Gh1WF33u2yYCzMU4Lw9AoYRG0jHi
-+iAFchiwneGdC7E+To+qNdH5QJY38ZI7kWg3ADcXzwhTmvVUz5DNub9raE6yZZ4uf
-+CyTGAJjH9USuhwH3unmB0kDjEOExIJHm+9uNA8S/81cwoCl2pz/hzr2fQwR2YLSa
-+ox9p6cnQmnkL2j2QXhTvjDIswJmxuR43yqDIZUlx6cq1pTSJeN+8WcB2iK61p4DH
-+JhH8af3aLUI5FNNgjas=
-+-----END CERTIFICATE-----
-diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem	2022-09-06 10:48:41.513496694 +0200
-@@ -0,0 +1,26 @@
-+-----BEGIN CERTIFICATE-----
-+MIIEXjCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
-+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
-+dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
-+MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
-+BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
-+BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitjbGllbnQwggEiMA0G
-+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSIbnL1ViRk9CAPerSirUpBtnR4qYD
-+XzPSkVJzX5PKLJkeJ6z6oIPoioh59+70ipL5K4ETkmbUFaKP+Lrk7l53BvAnP8Ba
-+1rWNV2gzgyiihGCs7N/iamh9Rzj5lQCvzUJhiTcphcptV+0IIf9rbEggEazbSg1A
-+BHxS8EBUx+ddVJc6MAlEbA/sstkqfE14k8YZPZlU9ZmLjyHbsQbfXFegYee6WMP0
-+M7CqrMZ0ZWvDRWgqWOE+b8agmIKPb2VxJXuR3iXBJk8ANcrRzn/tXShMuGK5KiWL
-+a6mFrzR6w55DgjIAKkmPO43jMO/qbWB91RVys/ztK7qIoXm3yadOeIU1AgMBAAGj
-+gYwwgYkwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAkBgNVHREE
-+HTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3JhMB0GA1UdDgQWBBSoW3Alxk4+
-+6Uwv80/UE5C5rT4e6TAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAN
-+BgkqhkiG9w0BAQsFAAOCAYEA5Nbnwixitghw9Zg3DANXFXiOsQBx7KEup7+x7edw
-+n9r2raqNJEjT2Fv+ClEA3CIdPF+4wjoolOPezrNJxKO3UpYCQeO4ZU/QVl8BX8NB
-+4v1rUqXsvhE//4FcLvMM+6n8Nrtt1VRhks8N0b0p/md9dFKGucd4otPZm0sbOrsg
-+nrhDYzZiFAzJg3zFwOOHzxP6iKj2mfq+2XRiKl7SlbnEj/8l21Ne1V+mDV5++AEZ
-+N/quuf8zYHwwuc3Y8K84doow9yBpFqrpBbazb8586utrAbTbytCqskzImFIjo5Oa
-+1ujWArMDsVGGr+NzFWwCTz8VTNNJ5H1cBin0gT41/OwUQv8DIJqzmSFTg9Uqmb2V
-+ZwjIvMGE4Tz8phzD0IbSXYmQsSeku4olIDM1d+vLvBlipGAeInmA+nZmeZwdD04c
-+poqUj+H3mj1r6WOlk2ivV0TUZKO/JHydkBVf2EQJlEmGuSq/7S889fx3GT7jGcOb
-+gl5LlIaraMgA48dK8gJUWtJh
-+-----END CERTIFICATE-----
-diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem	2022-09-06 12:10:13.808498227 +0200
-@@ -0,0 +1,134 @@
-+Public Key Info:
-+	Public Key Algorithm: RSA
-+	Key Security Level: Medium (2048 bits)
-+
-+modulus:
-+	00:d2:21:b9:cb:d5:58:91:93:d0:80:3d:ea:d2:8a:b5
-+	29:06:d9:d1:e2:a6:03:5f:33:d2:91:52:73:5f:93:ca
-+	2c:99:1e:27:ac:fa:a0:83:e8:8a:88:79:f7:ee:f4:8a
-+	92:f9:2b:81:13:92:66:d4:15:a2:8f:f8:ba:e4:ee:5e
-+	77:06:f0:27:3f:c0:5a:d6:b5:8d:57:68:33:83:28:a2
-+	84:60:ac:ec:df:e2:6a:68:7d:47:38:f9:95:00:af:cd
-+	42:61:89:37:29:85:ca:6d:57:ed:08:21:ff:6b:6c:48
-+	20:11:ac:db:4a:0d:40:04:7c:52:f0:40:54:c7:e7:5d
-+	54:97:3a:30:09:44:6c:0f:ec:b2:d9:2a:7c:4d:78:93
-+	c6:19:3d:99:54:f5:99:8b:8f:21:db:b1:06:df:5c:57
-+	a0:61:e7:ba:58:c3:f4:33:b0:aa:ac:c6:74:65:6b:c3
-+	45:68:2a:58:e1:3e:6f:c6:a0:98:82:8f:6f:65:71:25
-+	7b:91:de:25:c1:26:4f:00:35:ca:d1:ce:7f:ed:5d:28
-+	4c:b8:62:b9:2a:25:8b:6b:a9:85:af:34:7a:c3:9e:43
-+	82:32:00:2a:49:8f:3b:8d:e3:30:ef:ea:6d:60:7d:d5
-+	15:72:b3:fc:ed:2b:ba:88:a1:79:b7:c9:a7:4e:78:85
-+	35:
-+
-+public exponent:
-+	01:00:01:
-+
-+private exponent:
-+	1f:0c:c4:bb:8d:e6:ec:7b:ff:0f:34:17:02:cd:64:3f
-+	8f:b7:97:ff:f9:af:fd:dd:56:7c:0a:c6:e9:94:99:07
-+	46:08:e2:ab:f8:cc:c7:31:11:67:61:3e:75:9c:c4:ed
-+	3a:cc:66:e2:51:7b:c8:52:fa:16:74:16:89:c5:7f:47
-+	ef:4a:85:42:32:56:39:eb:d1:da:dc:96:e0:06:9d:1d
-+	1a:7b:f2:f4:92:2c:4f:0c:53:fd:e3:43:55:3a:a5:05
-+	ee:0b:ac:8f:02:2a:0b:46:36:cc:40:d9:d1:31:ca:e6
-+	92:36:0c:a1:40:9b:f9:0d:b5:e3:b2:5d:d4:bc:27:5a
-+	17:fd:3f:bd:8e:44:55:f2:e3:96:ac:cc:11:be:65:01
-+	55:98:92:92:ac:59:46:fd:e2:11:80:eb:18:56:6a:82
-+	3c:79:ec:30:b7:06:9b:97:55:74:36:17:7e:d8:c6:95
-+	4e:a5:e1:55:5a:2a:d6:5d:cc:86:39:88:82:ba:31:19
-+	98:d7:26:28:09:fe:b4:38:fe:1b:43:19:19:4f:ae:f2
-+	27:18:d6:07:9a:c2:1c:66:2d:5a:e6:22:2e:ca:71:26
-+	dc:76:8f:2e:f3:84:e3:61:5f:77:d3:63:8a:d0:6b:42
-+	2a:6f:1b:98:91:b9:82:8d:d4:c4:f3:92:98:b4:a4:f1
-+
-+
-+prime1:
-+	00:e1:f4:19:35:e3:e2:e7:14:a6:56:8b:45:f9:2b:19
-+	bb:13:b3:66:73:44:5d:ca:69:cb:73:d9:78:5a:0f:fd
-+	de:ba:74:b3:53:70:a9:ab:52:22:34:78:a2:26:4a:aa
-+	8f:1b:65:c1:3e:df:65:8c:9b:9a:70:04:ae:70:f6:ea
-+	c4:e5:20:fa:16:e0:4f:56:f4:7b:d1:14:cc:94:e1:3c
-+	58:02:82:98:20:cd:13:cf:a2:49:13:7a:88:c1:84:72
-+	97:4f:1b:e8:d5:cb:6d:43:dd:d2:b8:09:dd:4f:ee:ce
-+	03:0b:c4:c2:9b:cf:3d:a0:a3:57:fd:1c:c9:eb:af:ae
-+	67:
-+
-+prime2:
-+	00:ee:13:05:f0:4c:13:e2:f8:27:53:c4:ad:89:d9:31
-+	b9:1b:e8:17:b9:db:36:cd:54:0c:15:eb:50:85:e4:8b
-+	03:c4:f2:6d:a0:41:dc:99:21:7e:1e:8a:a1:5e:86:fe
-+	53:d2:72:53:73:8a:7e:a2:43:83:d5:af:b0:e0:1a:89
-+	b5:3f:b3:26:d2:8e:92:0d:ed:d1:29:ee:c5:f1:ff:fc
-+	67:2c:a6:5d:4c:27:40:8a:5c:a1:23:d4:3f:11:bb:eb
-+	51:84:be:83:ec:73:3c:2e:ff:43:f6:74:16:b8:95:36
-+	2a:0b:1e:04:81:04:08:7a:40:21:dd:fb:dd:97:0a:76
-+	03:
-+
-+coefficient:
-+	00:a0:4c:15:4b:85:2f:81:6b:2e:e7:68:31:84:84:09
-+	c4:45:55:01:da:3d:25:9d:37:67:ab:19:0b:1f:d3:9f
-+	fc:09:12:31:66:5a:93:d8:d9:f2:00:c7:f7:03:0d:2b
-+	9d:2d:b8:38:d0:82:de:03:e7:21:03:29:4f:2a:2b:b5
-+	70:a3:bc:5b:bd:0e:f1:8b:bc:22:58:4a:b4:8f:fd:f5
-+	d4:f3:99:31:b1:db:f6:1d:d9:12:a2:48:0a:d0:05:1a
-+	72:dc:8e:30:67:3c:e0:6a:b5:dc:93:6f:e4:17:79:a1
-+	63:2e:25:78:ef:86:d7:9c:f3:dd:5b:d2:bd:62:4f:44
-+	f9:
-+
-+exp1:
-+	60:a2:e2:49:5f:0e:83:20:1c:c7:f4:c6:d7:7b:2c:85
-+	0b:36:f6:01:24:63:2c:97:b4:b0:f6:78:77:a4:51:42
-+	79:e2:41:73:d5:42:6b:88:34:22:d6:d9:1a:a1:62:72
-+	d4:17:df:df:40:f2:10:81:d8:3a:42:76:4c:cf:fd:b6
-+	79:fc:71:99:69:13:e5:af:a8:68:d2:89:70:bf:27:ec
-+	c8:1e:0c:6c:32:e9:5f:2b:1c:2f:dd:7f:31:ac:b0:c9
-+	af:c6:d2:fc:e5:04:f5:3a:a0:cd:9f:42:6c:d6:48:7b
-+	9b:03:ea:eb:72:65:fc:17:00:21:bb:b7:4c:3a:95:cf
-+
-+
-+exp2:
-+	00:a1:a7:61:1c:ed:4b:83:8e:24:86:08:c2:1d:1b:d1
-+	5b:73:cb:80:70:be:9c:d3:87:02:3d:cf:ee:79:3b:d9
-+	f8:d1:3e:1b:99:f9:9e:a4:8b:cd:6b:47:8e:92:f4:ee
-+	b4:53:ed:35:24:fb:21:49:64:b6:9b:de:14:27:d7:5d
-+	32:28:f2:a8:a5:c8:10:fc:4c:42:fe:4a:17:36:5f:2f
-+	2f:8f:6d:d7:63:e2:33:3c:bf:f0:da:b7:3f:ab:f7:01
-+	ad:f4:88:b8:63:51:4b:c8:4d:a4:04:30:87:4d:06:64
-+	24:e0:2f:9d:b7:4c:d9:c4:c8:cf:36:3f:d3:12:c0:13
-+	a9:
-+
-+
-+Public Key PIN:
-+	pin-sha256:I1Gv1FM9aCxvuCmF0uDnbDbIJgm1TFB2dtJV5v2iCEA=
-+Public Key ID:
-+	sha256:2351afd4533d682c6fb82985d2e0e76c36c82609b54c507676d255e6fda20840
-+	sha1:a85b7025c64e3ee94c2ff34fd41390b9ad3e1ee9
-+
-+-----BEGIN RSA PRIVATE KEY-----
-+MIIEpAIBAAKCAQEA0iG5y9VYkZPQgD3q0oq1KQbZ0eKmA18z0pFSc1+TyiyZHies
-++qCD6IqIeffu9IqS+SuBE5Jm1BWij/i65O5edwbwJz/AWta1jVdoM4MoooRgrOzf
-+4mpofUc4+ZUAr81CYYk3KYXKbVftCCH/a2xIIBGs20oNQAR8UvBAVMfnXVSXOjAJ
-+RGwP7LLZKnxNeJPGGT2ZVPWZi48h27EG31xXoGHnuljD9DOwqqzGdGVrw0VoKljh
-+Pm/GoJiCj29lcSV7kd4lwSZPADXK0c5/7V0oTLhiuSoli2upha80esOeQ4IyACpJ
-+jzuN4zDv6m1gfdUVcrP87Su6iKF5t8mnTniFNQIDAQABAoIBAB8MxLuN5ux7/w80
-+FwLNZD+Pt5f/+a/93VZ8CsbplJkHRgjiq/jMxzERZ2E+dZzE7TrMZuJRe8hS+hZ0
-+FonFf0fvSoVCMlY569Ha3JbgBp0dGnvy9JIsTwxT/eNDVTqlBe4LrI8CKgtGNsxA
-+2dExyuaSNgyhQJv5DbXjsl3UvCdaF/0/vY5EVfLjlqzMEb5lAVWYkpKsWUb94hGA
-+6xhWaoI8eewwtwabl1V0Nhd+2MaVTqXhVVoq1l3MhjmIgroxGZjXJigJ/rQ4/htD
-+GRlPrvInGNYHmsIcZi1a5iIuynEm3HaPLvOE42Ffd9NjitBrQipvG5iRuYKN1MTz
-+kpi0pPECgYEA4fQZNePi5xSmVotF+SsZuxOzZnNEXcppy3PZeFoP/d66dLNTcKmr
-+UiI0eKImSqqPG2XBPt9ljJuacASucPbqxOUg+hbgT1b0e9EUzJThPFgCgpggzRPP
-+okkTeojBhHKXTxvo1cttQ93SuAndT+7OAwvEwpvPPaCjV/0cyeuvrmcCgYEA7hMF
-+8EwT4vgnU8StidkxuRvoF7nbNs1UDBXrUIXkiwPE8m2gQdyZIX4eiqFehv5T0nJT
-+c4p+okOD1a+w4BqJtT+zJtKOkg3t0SnuxfH//Gcspl1MJ0CKXKEj1D8Ru+tRhL6D
-+7HM8Lv9D9nQWuJU2KgseBIEECHpAId373ZcKdgMCgYBgouJJXw6DIBzH9MbXeyyF
-+Czb2ASRjLJe0sPZ4d6RRQnniQXPVQmuINCLW2RqhYnLUF9/fQPIQgdg6QnZMz/22
-+efxxmWkT5a+oaNKJcL8n7MgeDGwy6V8rHC/dfzGssMmvxtL85QT1OqDNn0Js1kh7
-+mwPq63Jl/BcAIbu3TDqVzwKBgQChp2Ec7UuDjiSGCMIdG9Fbc8uAcL6c04cCPc/u
-+eTvZ+NE+G5n5nqSLzWtHjpL07rRT7TUk+yFJZLab3hQn110yKPKopcgQ/ExC/koX
-+Nl8vL49t12PiMzy/8Nq3P6v3Aa30iLhjUUvITaQEMIdNBmQk4C+dt0zZxMjPNj/T
-+EsATqQKBgQCgTBVLhS+Bay7naDGEhAnERVUB2j0lnTdnqxkLH9Of/AkSMWZak9jZ
-+8gDH9wMNK50tuDjQgt4D5yEDKU8qK7Vwo7xbvQ7xi7wiWEq0j/311POZMbHb9h3Z
-+EqJICtAFGnLcjjBnPOBqtdyTb+QXeaFjLiV474bXnPPdW9K9Yk9E+Q==
-+-----END RSA PRIVATE KEY-----
-diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem	2022-09-06 10:48:41.513496694 +0200
-@@ -0,0 +1,55 @@
-+-----BEGIN CERTIFICATE-----
-+MIIEVTCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
-+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
-+dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
-+MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
-+BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
-+BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitzZXJ2ZXIwggEiMA0G
-+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3mDP67/SPVbCCgInxXNr9sOLz2yWx
-+fa4jtgdbgWK5mib4XdPYTdH6hRiur/n6yn9rzhDeFFMUhSwQpQ81OyZfUFNU0A0q
-+x7AZMgVOm3ZqMDk8O57UfuSdURJJPsEwMzZ8Q5d6wyq7xheX0DZjB8LUN8J6SX4w
-+K2Ok1wCBOQdfjvW09tOVqQK7puHq85UWsEBTiZ7ie1Fg6FLNscPVoavjNNyYAORM
-+Vz0Byv1zBdJzBHufqHUdjX7uMkUPcKfiU/TjQWMRYF3Yp5z2wFohi4Zgtise7xW5
-+SfgcAIjA1bm5xMIaiUxRUZHUhCaoj6c2vZygrFO7MuB/2ngoEbqZ57pdAgMBAAGj
-+gYMwgYAwDAYDVR0TAQH/BAIwADAwBgNVHREEKTAnggZmZWRvcmGHBH8AAAGBF3Jv
-+b3RAZmVkb3JhdGxzd3d3c2VydmVyMB0GA1UdDgQWBBRxxQqJoRCHlrmwDLcB0aU3
-+W/QRbDAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjANBgkqhkiG9w0B
-+AQsFAAOCAYEAkheMCnXNDh2fOhMyOifBFKqlUUsYzZoYU5UNweZijdKAKxJ4zdsS
-+i31a2IG4ePBPX7PShUUr2E1PEQ2XBDi/HcCoK54qcqzhxGS83Rf/2YxN4BjU8jaA
-+7RhIA0fv5haKxxhjRIDT6vsAXPB0HM/f3Y+E21GVbsQVUE1pP8QrDkcU0EwIjEfW
-+tFEBitmb0s/11d8/ZLdYAuvvfzDzuN9kuAcj5dkdpB5Wo9R3h2NXnD6EIWIUHn/I
-+zwgXdb/n9gUI6jQMC6shFjXScVT2jgjfziWi/M66PBbtEbEnhOEKdbW0o2lPiL3j
-+2UDj6fMshRBAnSoBtEYm/lywBs3vDUGpMUSQFIAwPgUkizAl5DEdmE9PLqRL9HNT
-+UIg8tQql9Xr29edEiuMHpIyH8eEa+KI2CpKG3KfYDBMaC7z9MvkpYuSuIG3dsQxy
-+YguWDH7c0iosQVpHx8dxj5Exj1/QOXcD5tAVY/+DBe48nRzDTlZmRGQjtqr6Nw0j
-+BIXBoqaes0D4
-+-----END CERTIFICATE-----
-+-----BEGIN CERTIFICATE-----
-+MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
-+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
-+dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
-+Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
-+DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
-+MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
-+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
-+M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
-+MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
-+sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
-+2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
-+nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
-+gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
-++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
-+LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
-+BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
-+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
-+HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
-+dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
-+FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
-+uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
-+ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
-+wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
-+OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
-+9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
-+DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
-+jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
-+-----END CERTIFICATE-----
-diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem	1970-01-01 01:00:00.000000000 +0100
-+++ rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem	2022-09-06 12:10:28.635549755 +0200
-@@ -0,0 +1,133 @@
-+Public Key Info:
-+	Public Key Algorithm: RSA
-+	Key Security Level: Medium (2048 bits)
-+
-+modulus:
-+	00:b7:98:33:fa:ef:f4:8f:55:b0:82:80:89:f1:5c:da
-+	fd:b0:e2:f3:db:25:b1:7d:ae:23:b6:07:5b:81:62:b9
-+	9a:26:f8:5d:d3:d8:4d:d1:fa:85:18:ae:af:f9:fa:ca
-+	7f:6b:ce:10:de:14:53:14:85:2c:10:a5:0f:35:3b:26
-+	5f:50:53:54:d0:0d:2a:c7:b0:19:32:05:4e:9b:76:6a
-+	30:39:3c:3b:9e:d4:7e:e4:9d:51:12:49:3e:c1:30:33
-+	36:7c:43:97:7a:c3:2a:bb:c6:17:97:d0:36:63:07:c2
-+	d4:37:c2:7a:49:7e:30:2b:63:a4:d7:00:81:39:07:5f
-+	8e:f5:b4:f6:d3:95:a9:02:bb:a6:e1:ea:f3:95:16:b0
-+	40:53:89:9e:e2:7b:51:60:e8:52:cd:b1:c3:d5:a1:ab
-+	e3:34:dc:98:00:e4:4c:57:3d:01:ca:fd:73:05:d2:73
-+	04:7b:9f:a8:75:1d:8d:7e:ee:32:45:0f:70:a7:e2:53
-+	f4:e3:41:63:11:60:5d:d8:a7:9c:f6:c0:5a:21:8b:86
-+	60:b6:2b:1e:ef:15:b9:49:f8:1c:00:88:c0:d5:b9:b9
-+	c4:c2:1a:89:4c:51:51:91:d4:84:26:a8:8f:a7:36:bd
-+	9c:a0:ac:53:bb:32:e0:7f:da:78:28:11:ba:99:e7:ba
-+	5d:
-+
-+public exponent:
-+	01:00:01:
-+
-+private exponent:
-+	68:06:20:25:a5:82:0f:18:c1:3b:20:33:88:83:51:3d
-+	7e:d5:08:d0:79:a9:f8:89:0b:88:de:e0:55:0e:28:15
-+	94:d1:12:f0:ae:55:61:8d:2d:8e:8f:a3:fb:e2:c2:8b
-+	b1:fc:7f:08:25:c1:f1:15:87:a3:22:b2:dc:39:58:83
-+	96:d2:b0:72:75:93:70:b3:71:83:2b:08:a0:03:57:25
-+	5d:b8:a8:1b:55:51:54:9d:62:4b:17:1f:2c:7c:ef:f7
-+	86:2f:12:0c:27:ba:f5:cb:c6:a0:69:03:f7:d6:74:e8
-+	a3:73:58:b0:7d:84:33:81:70:eb:b5:48:82:94:8f:ea
-+	4c:c7:9c:58:02:90:68:b1:64:29:df:a8:8a:69:15:d4
-+	49:21:2f:aa:25:f1:e7:10:8b:93:37:ca:51:d3:4e:d6
-+	de:cf:60:04:6b:10:41:1b:f5:0f:be:b7:2a:cd:41:44
-+	50:25:be:e5:57:60:1e:3e:e9:d7:70:86:68:a6:4f:3d
-+	7d:d8:0e:7f:9b:de:de:e6:02:35:33:9f:b6:68:bb:cd
-+	2f:33:69:09:9e:da:91:6b:16:89:db:14:20:59:3a:92
-+	7e:78:4e:e1:02:3f:c8:a5:3f:bd:f2:bc:3a:da:f2:97
-+	06:f5:96:eb:c8:09:f7:04:cb:7f:e2:e2:12:52:d4:21
-+
-+
-+prime1:
-+	00:ed:e4:b8:72:ee:b0:9e:38:db:f8:e7:fa:52:a5:94
-+	4a:4b:05:54:f0:96:23:72:d6:01:ba:9f:f4:3e:65:24
-+	29:c0:47:4a:6f:a9:a4:02:36:c5:2c:c5:ea:cd:09:5c
-+	2d:8e:3c:56:aa:e4:e7:85:32:a8:a7:4f:18:12:17:8c
-+	93:15:07:da:3e:f4:df:33:7e:35:39:59:2d:f4:1c:ba
-+	65:e8:42:c7:75:a0:c2:53:47:ad:ee:74:44:21:6a:42
-+	75:7f:40:1f:8b:06:0e:df:c3:02:4d:50:58:75:f2:29
-+	58:e2:0c:a0:7b:fe:be:c4:ab:76:ff:24:c1:4b:e6:ce
-+	75:
-+
-+prime2:
-+	00:c5:91:7c:48:59:dd:05:68:5c:8a:46:0b:3b:69:92
-+	80:d1:c6:28:27:88:c8:a9:73:7c:32:ee:87:a7:31:29
-+	ff:56:38:41:07:3e:0f:01:5c:cf:eb:93:db:e7:fb:b9
-+	e7:15:94:93:ea:fa:f8:60:79:c6:16:d2:db:9b:64:5f
-+	c3:b8:f0:52:c0:e7:ff:e0:9a:94:22:fb:7e:5e:80:8f
-+	c0:ca:46:f4:87:91:e7:ad:6d:74:26:d1:fa:c0:f8:f5
-+	7e:b3:0c:bb:23:5e:7d:5d:8b:c9:2e:68:76:be:d4:b4
-+	75:de:3c:70:70:ad:1e:64:de:e4:1d:f7:df:af:46:0f
-+	49:
-+
-+coefficient:
-+	00:89:f1:2c:f9:14:89:25:21:7a:ad:75:30:f0:b1:e7
-+	20:b3:14:14:d7:c9:b6:78:3c:c7:c8:92:3a:64:8e:47
-+	d0:10:fc:01:a9:a6:25:a5:61:6d:8f:da:d4:85:fa:06
-+	9f:a5:27:a8:7d:38:e2:67:19:65:ab:a9:00:52:8c:f3
-+	51:fe:f9:a6:4f:ab:47:04:0a:86:ae:f0:fe:3d:2d:72
-+	76:6d:ad:03:48:af:23:67:92:28:34:83:bc:45:7d:c0
-+	45:ca:89:4a:4f:dd:11:a6:3a:5a:23:47:f4:7c:82:42
-+	dc:e8:56:85:d8:1b:9d:08:9c:6e:ca:17:58:d7:d4:bb
-+	77:
-+
-+exp1:
-+	21:50:b8:ac:0f:d5:58:33:2a:4b:2f:61:95:15:6f:31
-+	00:54:9c:d2:9c:94:16:4e:f6:2b:06:9f:93:e5:62:2d
-+	1e:aa:5d:38:4a:0f:97:e7:c7:b1:3f:7e:64:7c:7d:16
-+	3c:27:23:14:07:be:8c:9e:cd:93:b0:b5:f4:42:ac:03
-+	25:1c:d6:69:9e:ad:6b:6e:af:51:7a:b5:be:cc:0f:26
-+	9a:62:4f:c0:9f:64:d7:78:e0:58:d6:9b:7b:fa:7f:98
-+	28:db:f8:0e:e6:28:4b:19:ea:46:9d:8b:e5:e8:a5:f5
-+	b6:a2:82:0f:1b:5b:e7:fb:03:4d:33:fe:85:fc:aa:c9
-+
-+
-+exp2:
-+	59:36:db:22:68:c1:ef:a1:32:b8:95:ec:98:85:91:cc
-+	6d:ed:c7:50:22:ea:49:ea:86:59:11:71:5c:44:4d:2c
-+	aa:28:78:e4:e6:57:2c:4c:56:ef:90:33:2b:4c:76:a4
-+	2d:10:8c:c2:fd:55:8f:6b:2d:d2:3c:a1:42:48:4f:1e
-+	38:b2:fd:0b:73:38:0e:9a:7e:ee:55:16:b9:61:e0:88
-+	34:4f:5a:38:a5:e0:32:66:4c:9f:03:0e:f2:78:f9:92
-+	9f:13:ce:a5:a8:13:80:5c:91:1a:4d:bd:e1:6a:77:9b
-+	0a:21:cc:bc:74:d0:56:c8:77:c6:38:9a:5f:b1:89:51
-+
-+
-+
-+Public Key PIN:
-+	pin-sha256:FSR0pC1TUEe+ZMU7YSVDDmYP4hmDlsIJRKf4D8LiJZ8=
-+Public Key ID:
-+	sha256:152474a42d535047be64c53b6125430e660fe2198396c20944a7f80fc2e2259f
-+	sha1:71c50a89a1108796b9b00cb701d1a5375bf4116c
-+
-+-----BEGIN RSA PRIVATE KEY-----
-+MIIEowIBAAKCAQEAt5gz+u/0j1WwgoCJ8Vza/bDi89slsX2uI7YHW4FiuZom+F3T
-+2E3R+oUYrq/5+sp/a84Q3hRTFIUsEKUPNTsmX1BTVNANKsewGTIFTpt2ajA5PDue
-+1H7knVESST7BMDM2fEOXesMqu8YXl9A2YwfC1DfCekl+MCtjpNcAgTkHX471tPbT
-+lakCu6bh6vOVFrBAU4me4ntRYOhSzbHD1aGr4zTcmADkTFc9Acr9cwXScwR7n6h1
-+HY1+7jJFD3Cn4lP040FjEWBd2Kec9sBaIYuGYLYrHu8VuUn4HACIwNW5ucTCGolM
-+UVGR1IQmqI+nNr2coKxTuzLgf9p4KBG6mee6XQIDAQABAoIBAGgGICWlgg8YwTsg
-+M4iDUT1+1QjQean4iQuI3uBVDigVlNES8K5VYY0tjo+j++LCi7H8fwglwfEVh6Mi
-+stw5WIOW0rBydZNws3GDKwigA1clXbioG1VRVJ1iSxcfLHzv94YvEgwnuvXLxqBp
-+A/fWdOijc1iwfYQzgXDrtUiClI/qTMecWAKQaLFkKd+oimkV1EkhL6ol8ecQi5M3
-+ylHTTtbez2AEaxBBG/UPvrcqzUFEUCW+5VdgHj7p13CGaKZPPX3YDn+b3t7mAjUz
-+n7Zou80vM2kJntqRaxaJ2xQgWTqSfnhO4QI/yKU/vfK8Otrylwb1luvICfcEy3/i
-+4hJS1CECgYEA7eS4cu6wnjjb+Of6UqWUSksFVPCWI3LWAbqf9D5lJCnAR0pvqaQC
-+NsUsxerNCVwtjjxWquTnhTKop08YEheMkxUH2j703zN+NTlZLfQcumXoQsd1oMJT
-+R63udEQhakJ1f0AfiwYO38MCTVBYdfIpWOIMoHv+vsSrdv8kwUvmznUCgYEAxZF8
-+SFndBWhcikYLO2mSgNHGKCeIyKlzfDLuh6cxKf9WOEEHPg8BXM/rk9vn+7nnFZST
-+6vr4YHnGFtLbm2Rfw7jwUsDn/+CalCL7fl6Aj8DKRvSHkeetbXQm0frA+PV+swy7
-+I159XYvJLmh2vtS0dd48cHCtHmTe5B33369GD0kCgYAhULisD9VYMypLL2GVFW8x
-+AFSc0pyUFk72Kwafk+ViLR6qXThKD5fnx7E/fmR8fRY8JyMUB76Mns2TsLX0QqwD
-+JRzWaZ6ta26vUXq1vswPJppiT8CfZNd44FjWm3v6f5go2/gO5ihLGepGnYvl6KX1
-+tqKCDxtb5/sDTTP+hfyqyQKBgFk22yJowe+hMriV7JiFkcxt7cdQIupJ6oZZEXFc
-+RE0sqih45OZXLExW75AzK0x2pC0QjML9VY9rLdI8oUJITx44sv0LczgOmn7uVRa5
-+YeCINE9aOKXgMmZMnwMO8nj5kp8TzqWoE4BckRpNveFqd5sKIcy8dNBWyHfGOJpf
-+sYlRAoGBAInxLPkUiSUheq11MPCx5yCzFBTXybZ4PMfIkjpkjkfQEPwBqaYlpWFt
-+j9rUhfoGn6UnqH044mcZZaupAFKM81H++aZPq0cECoau8P49LXJ2ba0DSK8jZ5Io
-+NIO8RX3ARcqJSk/dEaY6WiNH9HyCQtzoVoXYG50InG7KF1jX1Lt3
-+-----END RSA PRIVATE KEY-----
--- a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
@ -1,21 +1,19 @@
--- rsyslog-8.2102.0/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
-+++ rsyslog-8.2102.0.backup.doc.202209071236/doc/configuration/global/index.html	2022-09-07 12:33:21.318360707 +0200
-@@ -119,7 +119,14 @@
+--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
+++ rsyslog-8.2102.0/doc/configuration/global/index.html	2022-09-07 13:32:10.426621438 +0200
+@@ -119,6 +119,13 @@
 <a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
 Defaults to ptcp.</p>
 </li>
-<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
-+<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>  
-+</li>
 +<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
 +This directive allows to configure multiple additional extra CA files.
 +This is intended for SSL certificate chains to work appropriately,
 +as the different CA files in the chain need to be specified.
 +It must be remarked that this directive only works with the OpenSSL driver.
 +</p>
+</li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
 </li>
 <li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
- </li>
@@ -311,4 +318,4 @@
     <div class="footer" role="contentinfo">
     </div>
--- a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
@ -0,0 +1,134 @@
+--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-07 13:32:51.623799582 +0200
+@@ -72,6 +72,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
+	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
+ 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
+ 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
+ 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
+--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-07 13:17:02.669696053 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-07 13:56:37.678966129 +0200
+@@ -122,6 +122,7 @@
+ static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+ static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+ static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
+static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
+ int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
+ static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
+ static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
+@@ -176,6 +177,7 @@
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
+	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
+ 	{ "maxmessagesize", eCmdHdlrSize, 0 },
+ 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
+ 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
+@@ -307,6 +309,8 @@
+ /* TODO: use custom function which frees existing value */
+ SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
+ /* TODO: use custom function which frees existing value */
+SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
+/* TODO: use custom function which frees existing value */
+ 
+ #undef SIMP_PROP
+ #undef SIMP_PROP_SET
+@@ -838,6 +842,12 @@
+ 	return(pszDfltNetstrmDrvrCAF);
+ }
+ 
+/* return the extra CA Files, if needed */
+static uchar*
+GetNetstrmDrvrCAExtraFiles(void)
+{
+      return(pszNetstrmDrvrCAExtraFiles);
+}
+ 
+ /* return the current default netstream driver key File */
+ static uchar*
+@@ -925,6 +935,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile)
+	SIMP_PROP(NetstrmDrvrCAExtraFiles)
+ #ifdef USE_UNLIMITED_SELECT
+ 	SIMP_PROP(FdSetSize)
+ #endif
+@@ -941,6 +952,8 @@
+ 	pszDfltNetstrmDrvr = NULL;
+ 	free(pszDfltNetstrmDrvrCAF);
+ 	pszDfltNetstrmDrvrCAF = NULL;
+	free(pszNetstrmDrvrCAExtraFiles);
+	pszNetstrmDrvrCAExtraFiles = NULL;	
+ 	free(pszDfltNetstrmDrvrKeyFile);
+ 	pszDfltNetstrmDrvrKeyFile = NULL;
+ 	free(pszDfltNetstrmDrvrCertFile);
+@@ -1350,6 +1363,9 @@
+ 			free(pszDfltNetstrmDrvr);
+ 			pszDfltNetstrmDrvr = (uchar*)
+ 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
+			free(pszNetstrmDrvrCAExtraFiles);
+			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
+ 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name,
+@@ -1546,6 +1562,8 @@
+ 	&pszDfltNetstrmDrvrKeyFile, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
+ 	&pszDfltNetstrmDrvrCertFile, NULL));
+	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
+	&pszNetstrmDrvrCAExtraFiles, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
+--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2022-09-07 13:17:02.705696208 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-07 14:09:18.697256943 +0200
+@@ -88,6 +88,7 @@
+ static short bHaveCA;
+ static short bHaveCert;
+ static short bHaveKey;
+static short bHaveExtraCAFiles;
+ static int bAnonInit;
+ static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
+ 
+@@ -414,7 +415,8 @@
+ {
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering osslGlblInit\n");
+-	const char *caFile, *certFile, *keyFile;
+	const char *caFile, *certFile, *keyFile, *extraCaFile;
+	char *extraCaFiles;
+ 
+ 	/* Setup OpenSSL library */
+ 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
+@@ -451,9 +453,27 @@
+ 	} else {
+ 		bHaveKey = 1;
+ 	}
+	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
+	if(extraCaFiles == NULL) {
+		bHaveExtraCAFiles = 0;
+	} else {
+		bHaveExtraCAFiles = 1;
+	}
+ 
+ 	/* Create main CTX Object */
+ 	ctx = SSL_CTX_new(SSLv23_method());
+	if(bHaveExtraCAFiles == 1) {
+		while((extraCaFile = strsep(&extraCaFiles, ","))) {
+			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
+				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
+					"Check at least: 1) file path is correct, 2) file exist, "
+					"3) permissions are correct, 4) file content is correct. "
+					"Open ssl error info may follow in next messages");
+				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
+				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
+			}
+		}
+	}
+ 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
+ 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
+ 				"Check at least: 1) file path is correct, 2) file exist, "
--- a/SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
@ -1,195 +0,0 @@
-diff -up rsyslog-8.2102.0/configure.ac.orig rsyslog-8.2102.0/configure.ac
--- rsyslog-8.2102.0/configure.ac.orig	2022-11-21 11:39:40.717183684 +0100
-+++ rsyslog-8.2102.0/configure.ac	2022-11-21 11:40:18.697206706 +0100
-@@ -387,6 +387,28 @@ if test "$enable_fmhash_xxhash" = "yes";
- 	])
- fi
- 
-+AC_ARG_ENABLE(libcap-ng,
-+        [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])],
-+        [case "${enableval}" in
-+         yes) enable_libcapng="yes" ;;
-+          no) enable_libcapng="no" ;;
-+           *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;;
-+         esac],
-+        [enable_libcapng=no]
-+)
-+
-+if test "$enable_libcapng" = "yes"; then
-+        PKG_CHECK_MODULES(
-+                [LIBCAPNG],
-+                [libcap-ng >= 0.8.2],
-+                [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])],
-+                [AC_MSG_ERROR(libcap-ng is not present.)]
-+        )
-+        CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS"
-+        LIBS="$LIBS $LIBCAPNG_LIBS"
-+fi
-+
-+
- 
- #gssapi
- AC_ARG_ENABLE(gssapi_krb5,
-@@ -2688,6 +2710,7 @@ echo "    liblogging-stdlog support enab
- echo "    libsystemd enabled:                       $enable_libsystemd"
- echo "    kafka static linking enabled:             $enable_kafka_static"
- echo "    atomic operations enabled:                $enable_atomic_operations"
-+echo "    libcap-ng support enabled:                $enable_libcapng"
- echo
- echo "---{ input plugins }---"
- if test "$unamestr" != "AIX"; then
-diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2022-11-21 11:40:31.926214720 +0100
-+++ rsyslog-8.2102.0/runtime/rsconf.c	2022-11-21 11:44:26.742356979 +0100
-@@ -33,6 +33,9 @@
- #include <sys/resource.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-+#ifdef ENABLE_LIBCAPNG
-+	#include <cap-ng.h>
-+#endif
- 
- #include "rsyslog.h"
- #include "obj.h"
-@@ -546,6 +549,7 @@ rsRetVal doDropPrivGid(void)
- 	uchar szBuf[1024];
- 	DEFiRet;
- 
-+#ifndef ENABLE_LIBCAPNG
- 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
- 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
- 		if(res) {
-@@ -560,9 +564,19 @@ rsRetVal doDropPrivGid(void)
- 	if(res) {
- 		rs_strerror_r(errno, (char*)szBuf, sizeof(szBuf));
- 		LogError(0, RS_RET_ERR_DROP_PRIV,
-				"could not set requested group id: %s", szBuf);
-+				"could not set requested group id: %s via setgid()", szBuf);
- 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
- 	}
-+#else
-+	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
-+	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
-+	if (res) {
-+		LogError(0, RS_RET_LIBCAPNG_ERR,
-+				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
-+		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
-+	}
-+#endif
-+
- 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
- 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
- 		 ourConf->globals.gidDropPriv);
-@@ -599,7 +613,14 @@ static void doDropPrivUid(int iUid)
- 				iUid, szBuf);
- 	}
- 
-+#ifndef ENABLE_LIBCAPNG
- 	res = setuid(iUid);
-+	// res = setuid(cnf->globals.uidDropPriv);
-+#else
-+	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
-+	res = capng_change_id(iUid, -1, capng_flags);
-+#endif
-+
- 	if(res) {
- 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
- 		perror("could not set requested userid");
-diff -up rsyslog-8.2102.0/runtime/rsyslog.h.orig rsyslog-8.2102.0/runtime/rsyslog.h
--- rsyslog-8.2102.0/runtime/rsyslog.h.orig	2022-11-21 11:45:09.007382588 +0100
-+++ rsyslog-8.2102.0/runtime/rsyslog.h	2022-11-21 11:45:31.333396112 +0100
-@@ -582,6 +582,7 @@ enum rsRetVal_				/** return value. All
- 	RS_RET_RABBITMQ_CHANNEL_ERR = -2449, /**< RabbitMQ Connection error */
- 	RS_RET_NO_WRKDIR_SET = -2450, /**< working directory not set, but desired by functionality */
- 	RS_RET_ERR_QUEUE_FN_DUP = -2451, /**< duplicate queue file name */
-+	RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
- 
- 	/* RainerScript error messages (range 1000.. 1999) */
- 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
-diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2022-11-21 11:45:17.587387786 +0100
-+++ rsyslog-8.2102.0/tools/rsyslogd.c	2022-11-21 11:46:19.509425295 +0100
-@@ -38,6 +38,10 @@
- #	include <systemd/sd-daemon.h>
- #endif
- 
-+#ifdef ENABLE_LIBCAPNG
-+	#include <cap-ng.h>
-+#endif
-+
- #include "rsyslog.h"
- #include "wti.h"
- #include "ratelimit.h"
-@@ -321,7 +325,7 @@ checkStartupOK(void)
- 		fprintf(stderr, "rsyslogd: error reading pid file, cannot start up\n");
- 		ABORT_FINALIZE(RS_RET_ERR);
- 	}
-	
-+
- 	/* ok, we got a pid, let's check if the process is running */
- 	const pid_t pid = (pid_t) pf_pid;
- 	if(kill(pid, 0) == 0 || errno != ESRCH) {
-@@ -1594,7 +1598,7 @@ initAll(int argc, char **argv)
- 		localRet = RS_RET_OK;
- 	}
- 	CHKiRet(localRet);
-	
-+
- 	CHKiRet(rsyslogd_InitStdRatelimiters());
- 
- 	if(bChDirRoot) {
-@@ -2019,7 +2023,7 @@ deinitAll(void)
- 	/* close the inputs */
- 	DBGPRINTF("Terminating input threads...\n");
- 	glbl.SetGlobalInputTermination();
-	
-+
- 	thrdTerminateAll();
- 
- 	/* and THEN send the termination log message (see long comment above) */
-@@ -2142,6 +2146,45 @@ main(int argc, char **argv)
- 	if(log_dflt != NULL && !strcmp(log_dflt, "1"))
- 		bProcessInternalMessages = 1;
- 	dbgClassInit();
-+
-+#ifdef ENABLE_LIBCAPNG
-+	/*
-+	 * Drop capabilities to the necessary set
-+	 */
-+	int capng_rc;
-+	capng_clear(CAPNG_SELECT_BOTH);
-+
-+	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-+		CAP_BLOCK_SUSPEND,
-+		CAP_CHOWN,
-+		CAP_IPC_LOCK,
-+		CAP_LEASE,
-+		CAP_NET_ADMIN,
-+		CAP_NET_BIND_SERVICE,
-+		CAP_PERFMON,
-+		CAP_SETGID,
-+		CAP_SETUID,
-+		CAP_SYS_ADMIN,
-+		CAP_SYS_CHROOT,
-+		CAP_SYS_RESOURCE,
-+		CAP_SYSLOG,
-+		-1
-+	)) != 0) {
-+		LogError(0, RS_RET_LIBCAPNG_ERR,
-+				"could not update the internal posix capabilities settings "
-+				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
-+		exit(-1);
-+	}
-+
-+	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
-+		LogError(0, RS_RET_LIBCAPNG_ERR,
-+			"could not transfer  the  specified  internal posix  capabilities "
-+			"settings to the kernel, capng_apply=%d\n", capng_rc);
-+		exit(-1);
-+	}
-+	DBGPRINTF("Capabilities were dropped successfully\n");
-+#endif
-+
- 	initAll(argc, argv);
- #ifdef HAVE_LIBSYSTEMD
- 	sd_notify(0, "READY=1");
--- a/SOURCES/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
@ -0,0 +1,72 @@
+diff -up rsyslog-8.2102.0/parse.h.orig rsyslog-8.2102.0/parse.h
+--- rsyslog-8.2102.0/parse.h.orig	2023-05-09 09:10:09.236597063 +0200
+++ rsyslog-8.2102.0/parse.h	2023-05-09 09:10:26.913608034 +0200
+@@ -56,7 +56,7 @@ struct rsParsObject
+ 	rsObjID OID;			/**< object ID */
+ #endif
+ 	cstr_t *pCStr;		/**< pointer to the string object we are parsing */
+-	int iCurrPos;			/**< current parsing position (char offset) */
+	size_t iCurrPos;			/**< current parsing position (char offset) */
+ };
+ typedef struct rsParsObject rsParsObj;
+ 
+diff -up rsyslog-8.2102.0/runtime/stream.c.orig rsyslog-8.2102.0/runtime/stream.c
+--- rsyslog-8.2102.0/runtime/stream.c.orig	2023-05-09 09:10:34.122612508 +0200
+++ rsyslog-8.2102.0/runtime/stream.c	2023-05-09 09:12:47.934640583 +0200
+@@ -1071,7 +1071,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 	cstr_t *thisLine = NULL;
+ 	rsRetVal readCharRet;
+ 	const time_t tCurr = pThis->readTimeout ? getTime(NULL) : 0;
+-	int maxMsgSize = glblGetMaxLine();
+	size_t maxMsgSize = glblGetMaxLine();
+ 	DEFiRet;
+ 
+ 	do {
+@@ -1132,9 +1132,9 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 					}
+ 
+ 
+-					int currLineLen = cstrLen(thisLine);
+					size_t currLineLen = cstrLen(thisLine);
+ 					if(currLineLen > 0) {
+-						int len;
+						size_t len;
+ 						if((len = cstrLen(pThis->prevMsgSegment) + currLineLen) <
+ 						maxMsgSize) {
+ 							CHKiRet(cstrAppendCStr(pThis->prevMsgSegment, thisLine));
+@@ -1144,7 +1144,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 								len = 0;
+ 							} else {
+ 								len = currLineLen-(len-maxMsgSize);
+-								for(int z=0; z<len; z++) {
+								for(size_t z=0; z<len; z++) {
+ 									cstrAppendChar(pThis->prevMsgSegment,
+ 										thisLine->pBuf[z]);
+ 								}
+diff -up rsyslog-8.2102.0/runtime/stringbuf.c.orig rsyslog-8.2102.0/runtime/stringbuf.c
+--- rsyslog-8.2102.0/runtime/stringbuf.c.orig	2023-05-09 09:09:37.627577446 +0200
+++ rsyslog-8.2102.0/runtime/stringbuf.c	2023-05-09 09:09:59.061590749 +0200
+@@ -474,7 +474,7 @@ finalize_it:
+  * This is due to performance reasons.
+  */
+ #ifndef NDEBUG
+-int cstrLen(cstr_t *pThis)
+size_t cstrLen(cstr_t *pThis)
+ {
+ 	rsCHECKVALIDOBJECT(pThis, OIDrsCStr);
+ 	return(pThis->iStrLen);
+diff -up rsyslog-8.2102.0/runtime/stringbuf.h.orig rsyslog-8.2102.0/runtime/stringbuf.h
+--- rsyslog-8.2102.0/runtime/stringbuf.h.orig	2023-05-09 09:08:05.199520082 +0200
+++ rsyslog-8.2102.0/runtime/stringbuf.h	2023-05-09 09:09:26.924570803 +0200
+@@ -144,9 +144,9 @@ rsRetVal cstrAppendCStr(cstr_t *pThis, c
+ 
+ /* now come inline-like functions */
+ #ifdef NDEBUG
+-#	define cstrLen(x) ((int)((x)->iStrLen))
+#	define cstrLen(x) ((size_t)((x)->iStrLen))
+ #else
+-	int cstrLen(cstr_t *pThis);
+	size_t cstrLen(cstr_t *pThis);
+ #endif
+ #define rsCStrLen(s) cstrLen((s))
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-0.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-0.patch
@ -0,0 +1,37 @@
+diff -up rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c
+--- rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig	2023-05-11 14:14:39.778187570 +0200
+++ rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c	2023-05-11 14:15:36.254234445 +0200
+@@ -232,7 +232,11 @@ static rsRetVal curlSetup(wrkrInstanceDa
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->fdErrFile = -1;
+-	pthread_mutex_init(&pData->mutErrFile, NULL);
+	if(pthread_mutex_init(&pData->mutErrFile, NULL) != 0) {
+		LogError(errno, RS_RET_ERR, "omelasticsearch: cannot create "
+			"error file mutex, failing this action");
+		ABORT_FINALIZE(RS_RET_ERR);
+	}
+ 	pData->caCertFile = NULL;
+ 	pData->myCertFile = NULL;
+ 	pData->myPrivKeyFile = NULL;
+@@ -240,6 +244,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
+finalize_it:
+ ENDcreateInstance
+ 
+ BEGINcreateWrkrInstance
+@@ -2165,10 +2170,12 @@ ENDfreeCnf
+ 
+ BEGINdoHUP
+ CODESTARTdoHUP
+	pthread_mutex_lock(&pData->mutErrFile);
+ 	if(pData->fdErrFile != -1) {
+ 		close(pData->fdErrFile);
+ 		pData->fdErrFile = -1;
+ 	}
+	pthread_mutex_unlock(&pData->mutErrFile);
+ ENDdoHUP
+ 
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-1.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-1.patch
@ -0,0 +1,54 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..d7d6c68e60 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -116,6 +116,7 @@ typedef struct instanceConf_s {
+ 	uchar **serverBaseUrls;
+ 	int numServers;
+ 	long healthCheckTimeout;
+	long indexTimeout;
+ 	uchar *uid;
+ 	uchar *pwd;
+ 	uchar *authBuf;
+@@ -187,6 +188,7 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "server", eCmdHdlrArray, 0 },
+ 	{ "serverport", eCmdHdlrInt, 0 },
+ 	{ "healthchecktimeout", eCmdHdlrInt, 0 },
+	{ "indextimeout", eCmdHdlrInt, 0 },
+ 	{ "uid", eCmdHdlrGetWord, 0 },
+ 	{ "pwd", eCmdHdlrGetWord, 0 },
+ 	{ "searchindex", eCmdHdlrGetWord, 0 },
+@@ -355,6 +357,7 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\ttemplate='%s'\n", pData->tplName);
+ 	dbgprintf("\tnumServers=%d\n", pData->numServers);
+ 	dbgprintf("\thealthCheckTimeout=%lu\n", pData->healthCheckTimeout);
+	dbgprintf("\tindexTimeout=%lu\n", pData->indexTimeout);
+ 	dbgprintf("\tserverBaseUrls=");
+ 	for(i = 0 ; i < pData->numServers ; ++i)
+ 		dbgprintf("%c'%s'", i == 0 ? '[' : ' ', pData->serverBaseUrls[i]);
+@@ -1768,6 +1771,8 @@ curlPostSetup(wrkrInstanceData_t *const pWrkrData)
+ 	PTR_ASSERT_SET_TYPE(pWrkrData, WRKR_DATA_TYPE_ES);
+ 	curlSetupCommon(pWrkrData, pWrkrData->curlPostHandle);
+ 	curl_easy_setopt(pWrkrData->curlPostHandle, CURLOPT_POST, 1);
+	curl_easy_setopt(pWrkrData->curlPostHandle,
+		CURLOPT_TIMEOUT_MS, pWrkrData->pData->indexTimeout);
+ }
+ 
+ #define CONTENT_JSON "Content-Type: application/json; charset=utf-8"
+@@ -1797,6 +1802,7 @@ setInstParamDefaults(instanceData *const pData)
+ 	pData->serverBaseUrls = NULL;
+ 	pData->defaultPort = 9200;
+ 	pData->healthCheckTimeout = 3500;
+	pData->indexTimeout = 0;
+ 	pData->uid = NULL;
+ 	pData->pwd = NULL;
+ 	pData->authBuf = NULL;
+@@ -1865,6 +1871,8 @@ CODESTARTnewActInst
+ 			pData->defaultPort = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "healthchecktimeout")) {
+ 			pData->healthCheckTimeout = (long) pvals[i].val.d.n;
+		} else if(!strcmp(actpblk.descr[i].name, "indextimeout")) {
+			pData->indexTimeout = (long) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "uid")) {
+ 			pData->uid = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "pwd")) {
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-2.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-2.patch
@ -0,0 +1,43 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..ed9359732c 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -877,14 +877,6 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 	int i;
+ 	int numitems;
+ 	fjson_object *items=NULL, *jo_errors = NULL;
+-	int errors = 0;
+-
+-	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
+-		errors = fjson_object_get_boolean(jo_errors);
+-		if (!errors && pWrkrData->pData->retryFailures) {
+-			return RS_RET_OK;
+-		}
+-	}
+ 
+ 	/*iterate over items*/
+ 	if(!fjson_object_object_get_ex(replyRoot, "items", &items)) {
+@@ -897,6 +889,15 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 
+ 	numitems = fjson_object_array_length(items);
+ 
+	int errors = 0;
+	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
+		errors = fjson_object_get_boolean(jo_errors);
+		if (!errors && pWrkrData->pData->retryFailures) {
+			STATSCOUNTER_ADD(indexSuccess, mutIndexSuccess, numitems);
+			return RS_RET_OK;
+		}
+	}
+
+ 	if (reqmsg) {
+ 		DBGPRINTF("omelasticsearch: Entire request %s\n", reqmsg);
+ 	} else {
+@@ -1267,6 +1268,7 @@ getDataRetryFailures(context *ctx,int itemStatus,char *request,char *response,
+ 				response);
+ 		}
+ 	}
+
+ 	need_free_omes = 0;
+ 	CHKiRet(msgAddJSON(msg, (uchar*)".omes", omes, 0, 0));
+ 	MsgSetRuleset(msg, ctx->retryRuleset);
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-3.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-3.patch
@ -0,0 +1,148 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index ed9359732c..8200403eaf 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -86,12 +86,14 @@ STATSCOUNTER_DEF(rebinds, mutRebinds)
+ static prop_t *pInputName = NULL;
+ 
+ #	define META_STRT "{\"index\":{\"_index\": \""
+-#	define META_STRT_CREATE "{\"create\":{\"_index\": \""
+#	define META_STRT_CREATE "{\"create\":{"    /* \"_index\": \" */
+#	define META_IX "\"_index\": \""
+ #	define META_TYPE "\",\"_type\":\""
+ #       define META_PIPELINE "\",\"pipeline\":\""
+ #	define META_PARENT "\",\"_parent\":\""
+ #	define META_ID "\", \"_id\":\""
+ #	define META_END  "\"}}\n"
+#	define META_END_NOQUOTE  " }}\n"
+ 
+ typedef enum {
+ 	ES_WRITE_INDEX,
+@@ -362,8 +364,8 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex);
+-	dbgprintf("\tsearch type='%s'\n", pData->searchType);
+	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
+        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -596,8 +598,8 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	assert(srchIndex != NULL);
+-	assert(srchType != NULL);
+	//assert(srchIndex != NULL);
+	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -633,9 +635,14 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		parent = NULL;
+ 	} else {
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-		r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+		if(searchIndex != NULL) {
+			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+			if(r == 0) r = es_addChar(&url, '/');
+			if(searchType != NULL) {
+				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+			}
+		} else
+			r = 0;
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -692,7 +699,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	uchar *pipelineName;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	r += ustrlen((char *)message) + ustrlen(searchIndex) + ustrlen(searchType);
+	r += ustrlen((char *)message);
+        if(searchIndex != NULL)
+                r += ustrlen(searchIndex);
+        if(searchType != NULL)
+                r += ustrlen(searchType);
+ 
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -717,6 +728,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
+       	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -725,28 +737,43 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 	DEFiRet;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE) {
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT_CREATE, sizeof(META_STRT_CREATE)-1);
+-	else
+		endQuote = 0;
+	} else
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT, sizeof(META_STRT)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+	if(searchIndex != NULL) {
+		endQuote = 1;
+		if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
+		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+		if(searchType != NULL) {
+			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));
+		}
+	}
+ 	if(parent != NULL) {
+		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PARENT, sizeof(META_PARENT)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)parent, ustrlen(parent));
+ 	}
+ 	if(pipelineName != NULL && (!pWrkrData->pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PIPELINE, sizeof(META_PIPELINE)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)pipelineName, ustrlen(pipelineName));
+ 	}
+ 	if(bulkId != NULL) {
+		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_ID, sizeof(META_ID)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)bulkId, ustrlen(bulkId));
+ 	}
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
+	if(endQuote == 0) {
+		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END_NOQUOTE, sizeof(META_END_NOQUOTE)-1);
+	} else {
+		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
+	}
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)message, length);
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, "\n", sizeof("\n")-1);
+ 	if(r != 0) {
+@@ -2094,6 +2121,8 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
+	//Only needed befor ES-Version 7.x
+	/*
+ 	if(pData->searchIndex == NULL)
+ 		pData->searchIndex = (uchar*) strdup("system");
+ 	if(pData->searchType == NULL)
+@@ -2104,6 +2133,7 @@ CODESTARTnewActInst
+ 			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+ 		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+ 	}
+	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-4.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-4.patch
@ -0,0 +1,118 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 8200403eaf..8b74d610df 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -130,6 +130,7 @@ typedef struct instanceConf_s {
+ 	uchar *timeout;
+ 	uchar *bulkId;
+ 	uchar *errorFile;
+	int esVersion;
+ 	sbool errorOnly;
+ 	sbool interleaved;
+ 	sbool dynSrchIdx;
+@@ -221,7 +222,8 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "ratelimit.interval", eCmdHdlrInt, 0 },
+ 	{ "ratelimit.burst", eCmdHdlrInt, 0 },
+ 	{ "retryruleset", eCmdHdlrString, 0 },
+-	{ "rebindinterval", eCmdHdlrInt, 0 }
+	{ "rebindinterval", eCmdHdlrInt, 0 },
+	{ "esversion.major", eCmdHdlrPositiveInt, 0 }
+ };
+ static struct cnfparamblk actpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -246,6 +248,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
+	pData->esVersion = 0;
+ finalize_it:
+ ENDcreateInstance
+ 
+@@ -364,8 +367,10 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
+-        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
+	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL
+			? (uchar*)"(not configured)" : pData->searchIndex);
+	dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL
+			? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -598,8 +603,6 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	//assert(srchIndex != NULL);
+-	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -700,11 +703,12 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 	r += ustrlen((char *)message);
+-        if(searchIndex != NULL)
+-                r += ustrlen(searchIndex);
+-        if(searchType != NULL)
+-                r += ustrlen(searchType);
+-
+	if(searchIndex != NULL) {
+		r += ustrlen(searchIndex);
+	}
+	if(searchType != NULL) {
+		r += ustrlen(searchType);
+	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+ 	}
+@@ -728,7 +732,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
+-       	int endQuote = 1;
+	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -1990,6 +1994,8 @@ CODESTARTnewActInst
+ 			pData->retryRulesetName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "rebindinterval")) {
+ 			pData->rebindInterval = (int) pvals[i].val.d.n;
+		} else if(!strcmp(actpblk.descr[i].name, "esversion.major")) {
+			pData->esVersion = pvals[i].val.d.n;
+ 		} else {
+ 			LogError(0, RS_RET_INTERNAL_ERROR, "omelasticsearch: program error, "
+ 				"non-handled param '%s'", actpblk.descr[i].name);
+@@ -2121,19 +2127,18 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
+-	//Only needed befor ES-Version 7.x
+-	/*
+-	if(pData->searchIndex == NULL)
+-		pData->searchIndex = (uchar*) strdup("system");
+-	if(pData->searchType == NULL)
+-		pData->searchType = (uchar*) strdup("events");
+	if(pData->esVersion < 8) {
+		if(pData->searchIndex == NULL)
+			pData->searchIndex = (uchar*) strdup("system");
+		if(pData->searchType == NULL)
+			pData->searchType = (uchar*) strdup("events");
+ 
+-	if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
+-		LogError(0, RS_RET_CONFIG_ERROR,
+-			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+-		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+		if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
+			LogError(0, RS_RET_CONFIG_ERROR,
+				"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+			ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+		}
+ 	}
+-	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-5.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-5.patch
@ -0,0 +1,40 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 76d5081d3b..f481ec3f7e 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -620,6 +620,8 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	uchar *parent;
+ 	uchar *bulkId;
+ 	char* baseUrl;
+	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
+	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+ 	int r;
+ 	DEFiRet;
+@@ -645,11 +647,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+ 			if(r == 0) r = es_addChar(&url, '/');
+-			if(searchType != NULL) {
+-				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+-			}
+-		} else
+-			r = 0;
+
+		if(searchType != NULL) {
+			actualSearchType = searchType;
+		}
+		if(r == 0) r = es_addChar(&url, '/');
+		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -693,7 +696,7 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	const uchar *const message,
+ 	uchar **const tpls)
+ {
+-	size_t r = sizeof(META_TYPE)-1 + sizeof(META_END)-1 + sizeof("\n")-1;
+	size_t r = sizeof(META_END)-1 + sizeof("\n")-1;
+ 	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+ 		r += sizeof(META_STRT_CREATE)-1;
+ 	else
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-6.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-6.patch
@ -0,0 +1,53 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index f481ec3f7e..b297a9274f 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -623,7 +623,7 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
+ 	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+-	int r;
+	int r = 0;
+ 	DEFiRet;
+ 	instanceData *const pData = pWrkrData->pData;
+ 	char separator;
+@@ -646,13 +646,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+			if(searchType != NULL && searchType[0] != '\0') {
+				actualSearchType = searchType;
+			}
+ 			if(r == 0) r = es_addChar(&url, '/');
+-
+-		if(searchType != NULL) {
+-			actualSearchType = searchType;
+			if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		}
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -714,7 +713,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 		r += ustrlen(searchIndex);
+ 	}
+ 	if(searchType != NULL) {
+-		r += ustrlen(searchType);
+		if(searchType[0] == '\0') {
+			r += 4; // "_doc"
+		} else {
+			r += ustrlen(searchType);
+		}
+ 	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -759,7 +762,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-		if(searchType != NULL) {
+		if(searchType != NULL && searchType[0] != '\0') {
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-doc.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-doc.patch
@ -0,0 +1,32 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html
+--- rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig	2023-05-11 15:56:24.308601241 +0200
+++ rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html	2023-05-11 15:57:11.000662477 +0200
+@@ -156,6 +156,28 @@ this timeframe. Defaults to 3500.</p>
+ <p><em>Note, the health check is verifying connectivity only, not the state of
+ the Elasticsearch cluster.</em></p>
+ </div>
+
+<div class="section" id="esVersion.major">
+  <span id="id2"></span><h4>esVersion.major<a class="headerlink" href="#esVersion.major" title="Permalink to this headline">¶</a></h4>
+  <table border="1" class="colwidths-auto parameter-table docutils">
+  <thead valign="bottom">
+  <tr class="row-odd"><th class="head">type</th>
+  <th class="head">default</th>
+  <th class="head">mandatory</th>
+  <th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
+  </tr>
+  </thead>
+  <tbody valign="top">
+  <tr class="row-even"><td>integer</td>
+  <td>0</td>
+  <td>no</td>
+  <td>none</td>
+  </tr>
+  </tbody>
+  </table>
+  <p>ElasticSearch is notoriously bad at maintaining backwards compatibility. For this reason, the setting can be used to configure the server’s major version number (e.g. 7, 8, …). As far as we know breaking changes only happen with major version changes. As of now, only value 8 triggers API changes. All other values select pre-version-8 API usage.</p>
+  </div>
+
+ <div class="section" id="searchindex">
+ <span id="id3"></span><h4>searchIndex<a class="headerlink" href="#searchindex" title="Permalink to this headline">¶</a></h4>
+ <table border="1" class="colwidths-auto parameter-table docutils">
--- a/SOURCES/rsyslog.conf
+++ b/SOURCES/rsyslog.conf
@ -4,23 +4,13 @@
 # or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
 # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

-#### GLOBAL DIRECTIVES ####
-
-# Where to place auxiliary files
-global(workDirectory="/var/lib/rsyslog")
-
-# Use default timestamp format
-module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
-
-# Include all config files in /etc/rsyslog.d/
-include(file="/etc/rsyslog.d/*.conf" mode="optional")
-
 #### MODULES ####

 module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
 			  # local messages are retrieved through imjournal now.
 module(load="imjournal" 	    # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
       StateFile="imjournal.state") # File to store the position in the journal
 #module(load="imklog") # reads kernel messages (the same are read from journald)
 #module(load="immark") # provides --MARK-- message capability
@ -35,6 +25,17 @@ module(load="imjournal" 	    # provides access to the systemd journal
 #module(load="imtcp") # needs to be done just once
 #input(type="imtcp" port="514")

+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
 #### RULES ####

 # Log all kernel messages to the console.
@ -67,13 +68,13 @@ local7.*                                                /var/log/boot.log

 # ### sample forwarding rule ###
 #action(type="omfwd"  
-# # An on-disk queue is created for this action. If the remote host is
-# # down, messages are spooled to disk and sent when it is up again.
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
 #queue.filename="fwdRule1"       # unique name prefix for spool files
 #queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
 #queue.saveonshutdown="on"       # save messages to disk on shutdown
 #queue.type="LinkedList"         # run asynchronously
 #action.resumeRetryCount="-1"    # infinite retries if host is down
-# # Remote Logging (we use TCP for reliable delivery)
-# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
+# Remote Logging (we use TCP for reliable delivery)
+# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
 #Target="remote_host" Port="XXX" Protocol="tcp")
--- a/SOURCES/rsyslog.service
+++ b/SOURCES/rsyslog.service
@ -1,6 +1,8 @@
 [Unit]
 Description=System Logging Service
 ;Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
 Documentation=man:rsyslogd(8)
 Documentation=https://www.rsyslog.com/doc/

@ -8,10 +10,21 @@ Documentation=https://www.rsyslog.com/doc/
 Type=notify
 EnvironmentFile=-/etc/sysconfig/rsyslog
 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
-ExecReload=/usr/bin/kill -HUP $MAINPID
 UMask=0066
 StandardOutput=null
 Restart=on-failure
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=net
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @raw-io @reboot @swap @cpu-emulation @obsolete
+LockPersonality=yes
+MemoryDenyWriteExecute=yes

 # Increase the default a bit in order to allow many simultaneous
 # files to be monitored, we might need a lot of fds.
--- a/SPECS/rsyslog.spec
+++ b/SPECS/rsyslog.spec