[sudo-users] TLS Configuration with sudo
Todd C. Miller
Todd.Miller at sudo.ws
Fri Aug 4 08:18:34 MDT 2023
On Fri, 04 Aug 2023 12:46:11 -0000, "sean.dolan--- via sudo-users" wrote:
> RedHat 7.9, Sudo 1.9.13-1. I'm having an issue with sudo (sudoers, sudo-log
> srvd) TLS where I'm getting a generic "verification failed" error (e.g `sudo
> date`) when using TLS for log_servers (ie. sudo-logsrvd) in the sudoers file.
> The machine that is running the sudo-logsrvd service has the following line i
> n its journal : "tlsv1 alert unknown ca" I think the message is the server
> trying to verify the client??
>
> When I use openssl s_client to connect to the logsrvd TLS port, I get a self-
> signed cert error unless I include the -CAfile option, so I included a log_se
> rver_cabundle directive to the sudoers file to match, but that didn't seem to
> actually fix or change the error at all.
The log server will try to validate the client certificate by default
so you will need to have the CA bundle on the log server too. The
sudo_logsrvd man page has an example of how to use self-signed
certificates and the configuration necessary.
If you don't want to validate the client certs, you can add:
tls_checkpeer = false
to sudo_logsrvd.conf. Note that sudo_logsrvd will also validate
its own certificate by default unless you disable tls_verify.
- todd
More information about the sudo-users
mailing list