Linux rsyslogd SSL to nxlog errno=9 is reported even with Digital Signature flag omitted

Tags:

#1 comoalt

Hello,

i am setting up SSL connection between rsyslog over linux box and nxlog endpoint. While win boxes connect like a charm linux boxes issue the following:

2018-10-12 11:51:26 ERROR remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found

I then found on your forum this post https://nxlog.co/question/1926/nxlog-ce-v291716-certificate-built-ecdsa-key where they talk about rebuild certificate without Digital Signature KeyUsage flag.

I assumed to rebuild client.crs since my rootCA.crt does not report any Digital Signature :

X509v3 extensions:
    X509v3 Subject Key Identifier:
        AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53
    X509v3 Authority Key Identifier:
        keyid:AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53
        DirName:/C=US/ST=Some-State/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (e.g. server FQDN or YOUR name)/emailAddress=Email Address
        serial:AF:06:5F:4B:97:ED:81:90

    X509v3 Basic Constraints:
        CA:TRUE
    X509v3 Key Usage:
        Certificate Sign, CRL Sign

I built a new client.csr without any trace of X509v3 extensions, but i always get the same error message.

Any help is well appreciated. Thanks

#2 b0ti Nxlog ✓ (Last updated )
#1 comoalt
Hello, i am setting up SSL connection between rsyslog over linux box and nxlog endpoint. While win boxes connect like a charm linux boxes issue the following: 2018-10-12 11:51:26 ERROR remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found I then found on your forum this post https://nxlog.co/question/1926/nxlog-ce-v291716-certificate-built-ecdsa-key where they talk about rebuild certificate without Digital Signature KeyUsage flag. I assumed to rebuild client.crs since my rootCA.crt does not report any Digital Signature : X509v3 extensions: X509v3 Subject Key Identifier: AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53 X509v3 Authority Key Identifier: keyid:AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53 DirName:/C=US/ST=Some-State/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (e.g. server FQDN or YOUR name)/emailAddress=Email Address serial:AF:06:5F:4B:97:ED:81:90 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign I built a new client.csr without any trace of X509v3 extensions, but i always get the same error message. Any help is well appreciated. Thanks

I don't think the CA is responsible. You'll need to figure out why the client closes the connection. Wireshark can be also quite useful to debug the TLS handshake. Also see the OpenSSL Certificate Creation section in the user guide.