[sudo-users] Certificate Verification Problem When connecting to sudo logsrvd

Wed Dec 27 05:16:19 MST 2023

Hi!

I'm currently playing with sudo input / output logs, and sending to a
central log server.

Thanks to the good examples I already managed to set up a test CA and
send logs successfully from a couple of Linux Test machines to my
logserver.  So in principle it seems to be working.

However, I would also like to add AIX-Servers, and here - using the same
configuration as on my Linux systems - I run into the following error:

reichle at mqde01aixtest02:/home/reichle # sudo echo Test
sudo: TLS connection to <mysyslogserver>:30344 failed: certificate verify failed
sudo: TLS handshake was unsuccessful: Error 0
sudo: unable to connect to log server sudo: error initializing I/O plugin sudoers_io

The relevant part of the clients configuration is on both systems -
working Linux and non Working AIX - the following:
Defaults log_output
Defaults log_input
#Defaults iolog_dir=/tmp/SUDO_IO_LOG
Defaults log_server_cabundle=/etc/ssl/sudo/mq-sudo-cacert.pem
Defaults log_servers=mqde01syslog01.marquardt.de(tls)
Defaults log_server_peer_cert=/etc/ssl/sudo/certs/sudo-log.crt
Defaults log_server_peer_key=/etc/ssl/sudo/private/sudo-log.key

If I try to connect via openssl directly, it seems to be working:
reichle at mqde01aixtest02:/home/reichle # openssl s_client -CAfile /etc/ssl/sudo/mq-sudo-cacert.pem  -connect <mysyslog_server>:30344
CONNECTED(00000004)
[..]
---
SSL handshake has read 3596 bytes and written 409 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
[..]
Verify return code: 0 (ok)
---
[..]
udo Audit Server 1.9.13p3

On the AIX Systems, I use the openssl 1.1.1 packages provided by IBM,
and the sudo rpm packages provides by sudo.ws (sudo-1.9.15-5.aix71.rpm). 

Anyone got a good idea, what in what direction I should investigate?  It
works, when I also set Defaults !log_server_verify, not do so, unless
there is no other way.

Best regards,
  Alexander