Bugzilla – Bug 988
TLS certificate error - following upgrade to 1.9.7-2
Last modified: 2021-08-09 09:33:13 MDT
I've ran into what I think is a bug with the most recent sudo_logsrvd package at least for RHEL 8. Following an upgrade to sudo-logsrvd-1.9.7-2.el8.x86_64, RHEL 7 and 8 sudo clients running the same corresponding sudo client package version (sudo-1.9.7-2.el8.x86_64) started logging the following error and is preventing sudo logging from working: error message issued by client on sudo invocation: sudo: TLS connection to {{fqdn_loghost}}:30343 failed: Connection reset by peer sudo: TLS handshake was unsuccessful: Connection reset by peer sudo: unable to connect to log server: Connection reset by peer Here are the relevant sudo_logsrvd directives: listen_address = *:30343(tls) tls_verify = false tls_checkpeer = false tls_cacert = /etc/openldap/cacerts/4e5e8b9b.0 tls_cert = /etc/openldap/cacerts/sudoserver.pem tls_key = /etc/openldap/cacerts/sudoserver.key Here are the relevant client directives: Defaults log_servers = {{fqdn_loghost}}:30343(tls) Defaults !log_server_verify Defaults log_server_peer_cert = /etc/openldap/cacerts/sudoclient.pem Defaults log_server_peer_key = /etc/openldap/cacerts/sudoclient.key Downgrading the server to sudo-logsrvd-1.9.5-3 restored sudo logging for us however we of course want to be sure to keep both the sudo client and server components updated. Please let me know if any additional detail is needed regarding this issue and thanks much for your help.
This was reported on the sudo-users mailing list as well. Thanks for narrowing it down to a change after 1.9.5, that helps.
Fixed by https://www.sudo.ws/repos/sudo/rev/1ca00726b4d6 The one-line fix is to use TLS_method (not TLS_client_method) in logsrvd/tls_init.c
Fixed in sudo 1.9.7p2. You can find packages at https://www.sudo.ws/download.html#binary and https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_7p2
confirmed that this is now fixed. Thanks again for your help Todd.