0

I am in the process of migrating one of my server's from Ubuntu 18.04 to Ubuntu 22.04,

I am copying over my syslog-ng config, and have gotten it to mostly work except for it will not connect to my mysql server ( Currently in need of an upgrade, it is using mariadb 10.1, and only supports TLS 1.1 from what I can tell )

I have tried editing /etc/ssl/openssl.cnf to support older but it does not seem to effect it, and I am running out of idea's on how to configure the ssl parameters in my config

Here is the relevent portion of my config

destination d_sql {
  sql(
          type(mysql)
          host("REDACTED") username("REDACTED") password("REDACTED")
          database("REDACTED")
          table("REDACTED")
          columns( "username" , "user_agent" )
          values("${json.username}" , "${json.user_agent}" )
          flags(dont-create-tables,explicit-commits)
  );
};
Tim Holum
  • 697
  • 1
  • 11
  • 24

1 Answers1

1

syslog-ng is using mysql through the libdbi library. I couldn't find explicit configuration of SSL settings via libdbi, however you can pass configuration settings via dbd-option() arguments to the sql driver.

These are the dbd-options that the MySQL driver of libdbi-drivers accepts:

~/sources/libdbi-drivers-0.9.0/drivers/mysql$ grep get_option *.c
    const char *host = dbi_conn_get_option(conn, "host");
    const char *username = dbi_conn_get_option(conn, "username");
    const char *password = dbi_conn_get_option(conn, "password");
    const char *dbname = dbi_conn_get_option(conn, "dbname");
    const char *encoding = dbi_conn_get_option(conn, "encoding");
    const char *port = dbi_conn_get_option(conn, "port");
      n_port = (long)dbi_conn_get_option_numeric(conn, "port");
    int timeout = dbi_conn_get_option_numeric(conn, "timeout");
    const char *unix_socket = dbi_conn_get_option(conn, "mysql_unix_socket");
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_compression") > 0) ? CLIENT_COMPRESS : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_compress") > 0) ? CLIENT_COMPRESS : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_found_rows") > 0) ? CLIENT_FOUND_ROWS : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_ignore_SPACE") > 0) ? CLIENT_IGNORE_SPACE : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_interactive") > 0) ? CLIENT_INTERACTIVE : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_local_files") > 0) ? CLIENT_LOCAL_FILES : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_multi_statements") > 0) ? CLIENT_MULTI_STATEMENTS : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_multi_results") > 0) ? CLIENT_MULTI_RESULTS : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_no_schema") > 0) ? CLIENT_NO_SCHEMA : 0;
    client_flags |= (dbi_conn_get_option_numeric(conn, "mysql_client_odbc") > 0) ? CLIENT_ODBC : 0;
    encodingopt = dbi_conn_get_option(conn, "encoding");
                if (dbi_conn_get_option_numeric(result->conn, "mysql_include_trailing_null") == 1) {

Unfortunately, at first sight, I can't see a setting that changes SSL settings for the MySQL client lib.

This chapter https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-protocol-negotiation

To set these settings programmatically, one would need to call either the mysql_ssl_set() function (https://dev.mysql.com/doc/c-api/5.7/en/mysql-ssl-set.html) or the more generic mysql_options() function (https://dev.mysql.com/doc/c-api/5.7/en/mysql-options.html)

Unfortunately, neither is supported by libdbi-drivers/mysql, so at the moment, you can't really change TLS settings from within syslog-ng.

It would not be very difficult to add though, through the above mentioned dbd-option() interface, one could imagine all these settings made available.

bazsi77
  • 521
  • 2
  • 6