Bug 988

Summary: TLS certificate error - following upgrade to 1.9.7-2
Product: Sudo Reporter: abliss1
Component: Log serverAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.9.7   
Hardware: PC   
OS: Linux   

Description abliss1 2021-07-26 12:39:29 MDT 
I've ran into what I think is a bug with the most recent sudo_logsrvd package at least for RHEL 8.  Following an upgrade to sudo-logsrvd-1.9.7-2.el8.x86_64, RHEL 7 and 8 sudo clients running the same corresponding sudo client package version (sudo-1.9.7-2.el8.x86_64) started logging the following error and is preventing sudo logging from working:

error message issued by client on sudo invocation:

sudo: TLS connection to {{fqdn_loghost}}:30343 failed: Connection reset by peer
sudo: TLS handshake was unsuccessful: Connection reset by peer
sudo: unable to connect to log server: Connection reset by peer

Here are the relevant sudo_logsrvd directives:

listen_address = *:30343(tls)
tls_verify = false
tls_checkpeer = false
tls_cacert = /etc/openldap/cacerts/4e5e8b9b.0
tls_cert = /etc/openldap/cacerts/sudoserver.pem
tls_key = /etc/openldap/cacerts/sudoserver.key

Here are the relevant client directives:

Defaults    log_servers = {{fqdn_loghost}}:30343(tls)
Defaults    !log_server_verify
Defaults    log_server_peer_cert = /etc/openldap/cacerts/sudoclient.pem
Defaults    log_server_peer_key = /etc/openldap/cacerts/sudoclient.key 

Downgrading the server to sudo-logsrvd-1.9.5-3 restored sudo logging for us however we of course want to be sure to keep both the sudo client and server components updated.  Please let me know if any additional detail is needed regarding this issue and thanks much for your help.
Comment 1 Todd C. Miller 2021-07-26 12:43:52 MDT 
This was reported on the sudo-users mailing list as well.  Thanks for narrowing it down to a change after 1.9.5, that helps.
Comment 2 Todd C. Miller 2021-07-26 15:23:39 MDT 
Fixed by https://www.sudo.ws/repos/sudo/rev/1ca00726b4d6
The one-line fix is to use TLS_method (not TLS_client_method) in logsrvd/tls_init.c
Comment 3 Todd C. Miller 2021-07-27 09:47:56 MDT 
Fixed in sudo 1.9.7p2.  You can find packages at https://www.sudo.ws/download.html#binary and https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_7p2
Comment 4 abliss1 2021-08-09 09:33:13 MDT 
confirmed that this is now fixed.  Thanks again for your help Todd.