riemann-tools icon indicating copy to clipboard operation
riemann-tools copied to clipboard

Published 20 hours ago verified publisher icon riemann

--tls generates error, drops events

Open tempire opened this issue 1 year ago • 3 comments

Issue

When the --tls switch is used:

riemann-health --host example.com --port 5554 --tcp --tls

No events are sent to the server.

Dropped 113 events due to no implicit conversion of nil into String

What's your riemann-tools version?

riemann-tools (1.10.0)

What platform are you on?

Same result on macos, alpine, and ami2 linux. Works fine when not sending to tls-enabled server.

Events work fine using tls in nodejs.

tempire avatar Feb 05 '24 23:02 tempire

Hey! Using --tls without --tls-ca-cert, --tls-cert and --tls-key? I guess you can skip --tls-ca-cert if you decide to ignore the CA verification (--no-tls-verify), but key and cert MUST be provided for mutual-TLS authentication…

Maybe we should fail hard at startup if --tls is requested but some parameters are missing?

smortex avatar Feb 06 '24 00:02 smortex

Yes, without ca-cert, cert, and key. I want secure communication, not authentication. The server has a letsencrypt-issued cert.

On Feb 5, 2024, at 5:58 PM, Romain Tartière @.***> wrote:

Hey! Using --tls without --tls-ca-cert, --tls-cert and --tls-key? I guess you can skip --tls-ca-cert if you decide to ignore the CA verification (--no-tls-verify), but key and cert MUST be provided for mutual-TLS authentication…

Maybe we should fail hard at startup if --tls is requested but some parameters are missing?

— Reply to this email directly, view it on GitHub https://github.com/riemann/riemann-tools/issues/288#issuecomment-1928584142, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPPTYDGI57HOX6QP3LBE3YSF52LAVCNFSM6AAAAABC27ZYA2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRYGU4DIMJUGI. You are receiving this because you authored the thread.

tempire avatar Feb 06 '24 01:02 tempire

I want secure communication, not authentication

Hum, is this supported by riemann? The server seems to assert presence of cert, key and ca-cert to start a TLS server: https://github.com/riemann/riemann/blob/2f06db732bdf65108572e0a37212719a915b6c2c/src/riemann/transport/tcp.clj#L281-L284

It looks like riemann-client currently assume mutual-TLS authentication which seem aligned with this: https://github.com/riemann/riemann-ruby-client/blob/main/lib/riemann/client/ssl_socket.rb#L20-L21

Events work fine using tls in nodejs.

Do you say you made unauthenticated TLS work with a nodejs client? Can you share your riemann config? My attempts to start an unauthenticated TLS server failed…

smortex avatar Feb 06 '24 01:02 smortex