You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you try to use the SyslogSecure transport while running the code under Windows, everything works great.
If you try to use it while running under Docker/Linux, nothing gets sent to Loggly. An SSL exception will be thrown silently which is only discoverable if you attach the Loggly library and run it through a debugger. (The important part is Linux, not Docker)
The exception thrown is:
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
---> Interop+Crypto+OpenSslCryptographicException: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
--- End of inner exception stack trace ---
You can resolve this error a couple different ways;
Modify /etc/ssl/openssl.crt, by adding the following at the top of the file:
This works by setting the CipherString to SECLEVEL 1 instead of the default which is SECLEVEL 2. The problem with this is it requires you modify the OS-level configuration for the container/server which means the library won't work out of the box.
The second way that works to resolve it, is by modifying the C# code in this library. This requires code that references methods present only in >= .Net 5.
in SyslogSecureTransport.cs, in the GetNetworkStream method, the following change resolves the issue, by making every TlsCipherSuite acceptable - which isn't ideal.
- await sslStream.AuthenticateAsClientAsync(Hostname).ConfigureAwait(false);
+ var sas = new SslClientAuthenticationOptions();
+ sas.TargetHost = Hostname;
+ sas.CipherSuitesPolicy = new CipherSuitesPolicy(Enum.GetValues<TlsCipherSuite>());
+
+ await sslStream.AuthenticateAsClientAsync(sas).ConfigureAwait(false);
Both methods will work to solve the issue, but neither are particularly elegant. It would be great to fix this inside the library, but it would need to take into account whether the library is targeting .Net5 and is running on Linux vs Windows, and be more precise on exactly what ciphers are needed.
I hope this info is helpful at least as a starting point to coming up with a solution that can be made part of this package. Happy to provide any additional info.
The text was updated successfully, but these errors were encountered:
If you try to use the SyslogSecure transport while running the code under Windows, everything works great.
If you try to use it while running under Docker/Linux, nothing gets sent to Loggly. An SSL exception will be thrown silently which is only discoverable if you attach the Loggly library and run it through a debugger. (The important part is Linux, not Docker)
The exception thrown is:
You can resolve this error a couple different ways;
/etc/ssl/openssl.crt, by adding the following at the top of the file:and this at the bottom:
This works by setting the CipherString to SECLEVEL 1 instead of the default which is SECLEVEL 2. The problem with this is it requires you modify the OS-level configuration for the container/server which means the library won't work out of the box.
in SyslogSecureTransport.cs, in the GetNetworkStream method, the following change resolves the issue, by making every TlsCipherSuite acceptable - which isn't ideal.
Both methods will work to solve the issue, but neither are particularly elegant. It would be great to fix this inside the library, but it would need to take into account whether the library is targeting .Net5 and is running on Linux vs Windows, and be more precise on exactly what ciphers are needed.
I hope this info is helpful at least as a starting point to coming up with a solution that can be made part of this package. Happy to provide any additional info.
The text was updated successfully, but these errors were encountered: