测试用例

1. 在 Rsyslog 服务器或者任何其他 CA 服务器中生成 CA 证书。

# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...

# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem     ===>>> generating CA certificate
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): ind
Organization name: Myorg
Organizational unit name: myBU
Locality name: BLR
State or province name: KA
Common name: CAcert
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1482511911):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 585d5627
Validity:
Not Before: Fri Dec 23 16:51:52 UTC 2016
Not After: Mon Dec 21 16:51:55 UTC 2026
Subject: C=ind,O=Myorg,OU=myBU,L=BLR,ST=KA,CN=CAcert
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
c0:78:d2:ba:a0:93:7d:81:a3:f7:a5:f4:86:a4:c2:2d
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
Other Information:
Public Key Id:
b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
Is the above information ok? (Y/N): y
Signing certificate...

# certtool --generate-privkey --outfile rslclient-key.pem --bits 2048
Generating a 2048 bit RSA private key...

# certtool --generate-request --load-privkey rslclient-key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): ind
Organization name: Myorg
Organizational unit name: Mybu
Locality name: blr
State or province name: KA
Common name: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
UID:
Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y

# certtool --generate-certificate --load-request request.pem --outfilerslclient-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem =======>>> generating client key certificate
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 1482512116):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N): n
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
X.509 Certificate Information:
Version: 3
Serial Number (hex): 585d56f4
Validity:
Not Before: Fri Dec 23 16:55:18 UTC 2016
Not After: Mon Dec 21 16:55:20 UTC 2026
Subject: C=ind,O=Myorg,OU=Mybu,L=blr,ST=KA,CN=dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
Subject Public Key Algorithm: RSA
Modulus (bits 2048):

Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Alternative Name (not critical):
DNSname: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
Subject Key Identifier (not critical):
34e95fc3db224ce9b4ed05f619359a4c4140826e
Authority Key Identifier (not critical):
b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
Other Information:
Public Key Id:
34e95fc3db224ce9b4ed05f619359a4c4140826e
Is the above information ok? (Y/N): y
Signing certificate...

# rm -rf request.pem

为服务器生成证书：

# certtool --generate-privkey --outfile rslserver-key.pem --bits 2048
Generating a 2048 bit RSA private key...

certtool --generate-request --load-privkey rslserver-key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): ind
Organization name: Myorg
Organizational unit name: Mybu
Locality name: blr
State or province name: ka
Common name: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
UID:
Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Generating server key certificate using request.pem

# certtool --generate-certificate --load-request request.pem --outfilerslserver-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 1482512336):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N): n
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
X.509 Certificate Information:
Version: 3
Serial Number (hex): 585d57d0
Validity:
Not Before: Fri Dec 23 16:58:57 UTC 2016
Not After: Mon Dec 21 16:59:00 UTC 2026
Subject: C=ind,O=Myorg,OU=Mybu,L=blr,ST=ka,CN=dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
ac:2d:46:c2:41:7b:16:a6:80:7f:9f:46:2c:64:02:2d

Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Alternative Name (not critical):
DNSname: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
Subject Key Identifier (not critical):
f7f986ecdd10bf2646cd74f7e20e3d9b0f746765
Authority Key Identifier (not critical):
b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
Other Information:
Public Key Id:
f7f986ecdd10bf2646cd74f7e20e3d9b0f746765
Is the above information ok? (Y/N): y
Signing certificate...

2.将ca.pem、rsl-client*证书复制到客户端，将服务器证书复制到rsyslog-server

# rsync -aP rslserver-* root@10.178.22.148:/etc/pki/tls/private/
# rsync -aP ca.pem root@10.178.22.148:/etc/pki/tls/private/

# ls -l /etc/pki/tls/private/
total 12
-rw-r--r-- 1 root root 1233 Dec 23 19:58 ca.pem
-rw-r--r-- 1 root root 1452 Dec 23 20:06 rslclient-cert.pem
-rw------- 1 root root 1679 Dec 23 19:59 rslclient-key.pem

# ls -l /etc/pki/tls/private/
total 12
-rw-r--r-- 1 root root 1233 Dec 23 20:09 ca.pem
-rw-r--r-- 1 root root 1448 Dec 23 20:09 rslserver-cert.pem
-rw------- 1 root root 1675 Dec 23 20:09 rslserver-key.pem

rsyslog 配置

1. 在 rsyslog-client/rsyslog-server 中安装这两个包。

rsyslog-gnutls-5.8.10-10.0.1.el6_6.x86_64
rsyslog-5.8.10-10.0.1.el6_6.x86_64
gnutls-utils-2.8.5-19.el6_7.x86_64
gnutls-2.8.5-19.el6_7.x86_64

2. RSYSLOG服务器配置：
   将以下模块/配置添加到 /etc/rsyslog.conf 。

注意：模块应按以下顺序排列，因为驱动程序应在 imtcp 模块之前加载。

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
$ModLoad imtcp
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 514
# Increase the amount of open files rsyslog is allowed, which includes open tcp sockets
# This is important if there are many clients.
# http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html
$MaxOpenFiles 2048

例如：

# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
$ModLoad imtcp
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com ======>>>> mention your rsyslog peer name or pattern ( *. )
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 514
# Increase the amount of open files rsyslog is allowed, which includes open tcp sockets
# This is important if there are many clients.
# http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html
$MaxOpenFiles 2048
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

设置说明

• 由于我们需要在客户端/服务器之间建立信任，我们需要为每个服务器/客户端生成 CA 证书。
• 我们将相应的客户端证书复制到客户端节点，将服务器证书复制到 rsyslog 服务器。
• 证书颁发机构服务器可以是 rsyslog 服务器或者其他服务器。
• 为了通过 tls 接受日志，我们将向 rsyslog 服务器配置文件添加更多模块。
• 为了通过 tls 发送日志，我们将向 rsyslog 客户端配置文件添加更多模块。
• 确保服务器/客户端配置文件中的模块顺序正确。

故障排除

基于来自 rsyslog 服务器的错误：

1. 如果我们看到消息是加密的而不是普通文本，那么我们应该检查模块顺序，这是因为 gtls 驱动程序是在 imtcp 端口后加载的。

Dec 23 19:34:36 rsyslogd: [oroirn software="rsyslogd" swVersion="5.8.10" x-pid="3344" x-info="http://www.rsyslog.com"] start
Dec 23 19:34:41 #026#003#002#0

2. 找不到模块：

Dec 23 20:09:39  rsyslogd-2067: could not load module '/lib64/rsyslog/lmnsd_gtls.so', dlsym: x^D: undefined symbol: modInit

检查证书并重新颁发或者复制到服务器。

3. 验证这个参数“$ActionSendStreamDriverAuthMode x509/name”

Dec 23 19:53:20 rsyslogd-2088: error: peer name not authorized - not permitted to talk to it. Names: (null) [try http://www.rsyslog.com/e/2088 ]
Dec 23 19:53:20 rsyslogd-2089: netstream session 0x7fb45c01c0e0 will be closed due to error
[try http://www.rsyslog.com/e/2089 ]

基本配置错误：

Dec 23 19:32:50  rsyslogd: [oroirn software="rsyslogd" swVersion="5.8.10" x-pid="3262" x-info="http://www.rsyslog.com"] start
Dec 23 19:32:50 rsyslogd-3003: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
Dec 23 19:32:50 rsyslogd: the last error occured in /etc/rsyslog.conf, line 36:"$InputTCPServerStreamDriverAuthMode x509/name"
Dec 23 19:32:50  rsyslogd-3003: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
Dec 23 19:32:50  rsyslogd: the last error occured in /etc/rsyslog.conf, line 37:"$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode"

rsyslog 客户端配置

确保我们有以下指令。

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
$ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com =======>>> that should be your rsyslog server
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name

例如：

# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
$ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer *
#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@10.178.23.94:514 ========>>>>>> server:port
:msg, contains, "kernel" @@10.178.23.94:514
# ### end of the forwarding rule ###

最后一步：重新启动客户端/服务器上的服务。

service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]

预期输出：

# tailf /var/log/messages
Dec 23 22:36:20 server2 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected! ========>>>> client messages here
Dec 23 22:38:54 server2 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
Dec 23 22:38:54 server1 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
Dec 23 22:38:55 server1 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected!
Dec 23 22:41:28 server2 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
Dec 23 22:41:28 server1 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
Dec 23 22:41:29 server1 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected!
Dec 23 22:44:44 server2 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
Dec 23 22:44:44 server1 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
Dec 23 22:44:44 server1 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected!
Dec 23 22:45:12 server1 kernel: Kernel logging (proc) stopped. =====>>> client messages got logged to the rsyslogserver
Dec 23 22:45:12 server1 rsyslogd: [oroirn software="rsyslogd" swVersion="5.8.10" x-pid="6340" x-info="http://www.rsyslog.com"] exiting on signal 15.
Dec 23 22:45:12 server1 kernel: imklog 5.8.10, log source = /proc/kmsg started.
Dec 23 22:45:12 server1 rsyslogd: [oroirn software="rsyslogd" swVersion="5.8.10" x-pid="6679" x-info="http://www.rsyslog.com"] start

# tcpdump -nnvvvS -s 0 -U -w /tmp/sniff.rsyslog dst 10.178.23.94 and dst port 514
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C133 packets captured
133 packets received by filter
0 packets dropped by kernel
3211 packets dropped by interface

这篇文章的目的是解释如何配置 rsyslog 服务器以通过 SSL/TLS 传输日志。
从客户端传输到 rsyslog 服务器的日志将通过 n/w 加密，以便我们具有另外的安全级别。

要求

rsyslog 服务器/客户端 需要以下软件包：

rsyslog-gnutls-5.8.10-10.0.1.el6_6.x86_64
rsyslog-5.8.10-10.0.1.el6_6.x86_64
gnutls-utils-2.8.5-19.el6_7.x86_64
gnutls-2.8.5-19.el6_7.x86_64