Author : Rainer Gerhards

librelp 1.1.5

By Rainer GerhardsPosted on July 5, 2013Posted in 1.1.5Tagged bugfix, librelp

librelp 1.1.5 [download]

This is a bug-fixing release that takes care of a memory leak on connection close as well as potential misadressing on session close.

Version 1.1.5 – 2013-07-05
– bugfix: memory leak on connection close
around 60 bytes of memory were lost on each connection close at the
server side (when the client initiated a close)
– bugfix: potential misadressing on session close
This can happen if also a write was outstanding, a quite unusable
situation. In that case, already freed memory was being accessed.

sha256sum: 2322d771bd6036dd11519509177722baa36bc0e61a5d6748cbce0addf7f43243

librelp 1.1.4

By Rainer GerhardsPosted on July 3, 2013Posted in 1.1.4Tagged BSD, librelp, RELP, TLS, wildcards

librelp 1.1.4 [download]

This version of the library provides certificate wildcard name checks. It also supports enhanced performance options (burst support, requires support from the caller). It also contains some bug fixes, especially for BSD.

Version 1.1.4 – 2013-07-03
– fix build problems on BSD
Thanks to Christiano for analysis and patch suggestion.
– add ability to specify a non-standard RELP Window size
– add burst support to the client API
With this, we remove the unconditional performance improvement
done in 1.1.3 – it is better to call the APIs explicitely.
– wildcards are now supported in TLS name peer authentication
They follow RFC5425 recommandations, e.g.
*.example.com, client*.example.com, client01.*.com
– new APIs: relpCltHintBurstBegin, relpCltHintBurstEnd,
relpCltSetWindowSize

sha256: 85df54b14d53525612c3c592f9121f16e0f694d32d69d4c82261ecd513014e50

librelp 1.1.3

By Rainer GerhardsPosted on June 26, 2013Posted in 1.1.3Tagged gnutls, librelp, RELP

librelp 1.1.3 [download]

Version 1.1.3 – 2013-06-26
– increased performance of RELP connection
– bugfix: potential segfault if no GnuTLS priority string was set

sha256sum: c07a6805ed90127c7270bece0fe60908bd5f6f9612bbbdd26fabb15588306b57

librelp 1.1.2

By Rainer GerhardsPosted on June 24, 2013Posted in announcementTagged gnutls, librelp, TLS

librelp 1.1.2 [download]

This release most importantly includes certificate-based mutual peer authentication in TLS mode. It also provides finer-grained control over the GnuTLS settings by permitting to directly specify the so-called “priority string”. With this string, important details like ciphers to be supported can be specified. To implement these features, a number of API extensions was done.

Version 1.1.2 – 2013-06-24
– add capability to specify the GnuTLS priority string
This gives callers complete control over crypto parameters, like
ciphers to use.
– add certificate-based authentication
– add capability to specify number of Diffie-Hellman bits to use
– API extension: relpSrvSetDHBits, relpSrvSetGnuTLSPriString,
relpSrvSetGnuTLSPriString, relpCltSetGnuTLSPriString
relpEngineSetOnAuthErr, relpCltSetUsrPtr,
relpSrvSetAuthMode, relpCltSetAuthMode

sha256: ed8701a0ed07c8c65d3375fd4356f9caa92e937433f2562a4eee94226f381618

recent librelp development

By Rainer GerhardsPosted on June 12, 2013Posted in backgroundTagged librelp, TLS

I thought I share some news on what I have been busy with and intend to be in the future. In the past days, I have added more config options to librelp, which now supports GnuTLS compression methods as well as provides the ability to set the Diffie-Hellman key strength (number of bits) and – for experts – to set the GnuTLS priorities, which select the cipher methods and other important aspects of TLS handling.

This is done now and I also added rsyslog facilities to use these new features. Some of this stuff is not yet released, but will soon be.

The next big step is preventing man-in-the-middle attacks. I will most probably use SSH-type fingerprint authentication, so that no full PKI is necessary to make this work. I guess implementing this feature set will probably take a couple of days and will keep you posted on how things progress.

(cross-posted from Rainer’s blog)

librelp 1.1.1

By Rainer GerhardsPosted on June 11, 2013Posted in announcement, compressionTagged librelp, TLS

librelp 1.1.1 [download]

– added compression support for TLS
– API extension: relpCltEnableTLSZip, relpSrvEnableTLSZip

[sha256 hash: 2aa0288bf26de0605c414f02329634007681f81cc6f62ff6f615074c45f9def2]

librelp 1.1.0

By Rainer GerhardsPosted on June 3, 2013Posted in announcementTagged librelp

librelp 1.1.0 [download]: Most importantly, TLS support has been added. This also lead to a number of API enhancements.

[sha256 hash: 2fc9bf37eb6be5a5cc72483eb11eca573d3c87b78051c70fca5b4446d9106f27]

TLS support for librelp

By Rainer GerhardsPosted on June 3, 2013Posted in backgroundTagged librelp, TLS

If you followed librelp’s git, you have probably already noticed that there is increased activity. This is due to the fact that TLS support is finally being added! Thanks to some unnamed sponsor, we could invest “a bit” of time to make this happen.

We have decided to base TLS support on GnuTLS, which has matured very much, is preferred by Debian and fully supported by Red Hat and has no licensing issues with GPL like openssl has (plus the sponsor also preferred it). We build TLS support directly into librelp, as we assume it will get very popular, so an abstraction layer would not make that much sense, especially given the fact the GnuTLS nowadays is almost already installed by default. And remember that an abstraction layer always adds code complexity and an (albeit limited) runtime overhead.

Librelp 1.1.0 will be the first version with basic TLS support. With “basic”, we mean that this is a full TLS implementation, but there are some useful additional features not yet present. Most importantly, this version will not support certifiates but rather work with anonymous Diffie-Hellmann key exchange. This means that while the integrity and privacy of the session can be guaranteed as far as the network is concerned, this version does not guard against man-in-the-middle attacks. The reason simply is that there is no way to mutually authenticate peers without certificates. We still think it makes a lot of sense to release that version, as it greatly improves the situation.

Obviously, we have plans to add certificate support in the very near future. And this also means we will add ways for mutual authentication, much like in rsyslog’s RFC 5425 implementation. It’s not finally decided if we will support all authentication options RFC 5425 offers (some may not be very relevant in practice), but that’s so far undecided. We currently strongly consider to start with fingerprint-based authentication, as this permits the ability to do mutual authentication without the need to setup a full-blown PKI. Also, most folks know fingerprint authentication: this is what ssh does when it connects to a remote machine.

So stay tuned to librelp development, many more exciting things are coming up. Please note that rsyslog 7.5.0 will be the first version to utilize the new librelp features – but that’s something for a different blog posting.

[This is a cross-post from Rainer Gerhards’ blog (main librelp author)]

librelp 1.0.7 released

By Rainer GerhardsPosted on May 13, 2013Posted in UncategorizedTagged librelp

librelp 1.0.7 [download]: removed relpCltConnect2() API which was against librelp API philosophy. This was only introduced in 1.0.6 and been in the code for a very short time. So we decided that the best thing to do is actually remove it (there is NO known released user, this change was for yet unreleased rsyslog 7.5.0). [sha256 hash: 615df51cbbd6e62ed3900e1934e79c2ac02b533c01de20d28009968e54e93779]

librelp 1.0.6

By Rainer GerhardsPosted on May 6, 2013Posted in UncategorizedTagged librelp

librelp 1.0.6 [download]: enhanced API to permit binding a client to a specific IP address [sha256 hash: 9b4304ff3302c60be03bb9bed82d15420bce51b72f836877e47622cd5417f6ab]