Rsyslog supports OCSP?

kpkanani · May 22, 2020, 9:36am

Hello,
I want to know about OCSP support in rsyslog. I am using RHEL 7.6. I already have rsyslog implemented with TLS. Now I need to implement Certificate Revocation Check as well. So please guide me in the correct direction if rsyslog doesn't provide OCSP support yet.

Neo · May 23, 2020, 4:50am

Does rsyslog support OSCP now?

kpkanani · May 25, 2020, 4:36am

Hello Neo,
I mean to ask, if rsyslog doesn't provide OCSP support then what will be the best way to implement it?

Neo · May 25, 2020, 4:53am

Yes, but I asked you

Does rsyslog support OSCP now?

It's a yes or no question.

kpkanani · May 25, 2020, 6:07am

Hello Neo,
On rsyslog website, there is nothing mentioned for OCSP support. Hence the answer is No.

Neo · May 25, 2020, 6:53am

OK. So, let's forget about rsyslog completely.

What exactly do you wish to accomplish?

Your title of this topic is Rsyslog supports OCSP? , however, the answer for this question is "no".

kpkanani · May 25, 2020, 9:04am

Hello Neo,
I want to implement certificate revocation check for the certificates used by my rsyslog client. e.g. my rsyslog client is pushing logs to remote server and they both use certificate X. Currently there is no validation check present whether the certificate X is expired or not. There could be some changes in details of certificate X and hence it is important to check if it is valid or not before pushing the logs via rsyslog utility to the remote server. Hence, I was trying to see if rsyslog is supporting OCSP or CRL by which I can implement certificate revocation check.

Neo · May 25, 2020, 9:09am

Yes, but we have already established, and it is well documented, that rsyslog does not support OCSP.

So, you cannot setup OCSP for rsyslog, unless you want to rewrite rsyslog so it supports this capability.

rsyslog does not support OCSP.

kpkanani · May 25, 2020, 9:24am

Hello Neo,
Got the point. So only option is to rewrite rsyslog in order to support OCSP. Thank you for the help.

Neo · May 25, 2020, 9:53am

I am not sure if modifying rsyslog in the only option, but it appears to be the only option if you need to only use rsyslog.

There may be other logging facilities which may support OCSP. Maybe you can look into another logging facility?

kpkanani · May 25, 2020, 10:27am

Hello Neo,
I will look for other opensource logging facility which can replace rsyslog. If there are none of such utility then I am stuck with rsyslog.

Neo · May 25, 2020, 10:29am

Please post back and let us know what you come up with. I'm interested in your project.

kpkanani · May 25, 2020, 11:07am

Hello Neo,
Sure. I will post an update in this thread once I found something.

kpkanani · July 21, 2020, 5:51am

Hello Neo,
Following is the update on my own solution to the rsyslog-ocsp problem:

As rsyslog do not provide OSCP check, I have created a daemon service to validate certificate revocation check. Basically, my service will check for the OCSP url in the certificate used for the rsyslog-TLS setup. Once the ocsp url found the service will execute openssl ocsp check command to validate the authenticity of that certificate. If certificate is not valid then in my case I am just removing rsyslog-TLS configuration from rsyslog.conf file and restarting rsyslog service.

Let me know if you have more questions on this approach.

system · October 19, 2020, 5:51am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.