[syslog-ng] problem configuring syslog-ng with TLS

Mohsen Alimomeni m.alimomeni at gmail.com
Sat Jul 18 07:51:08 CEST 2009 

Thanks for reply,
I tried different configurations, (mutual, simple, remove peer_verify),
Compiled the last development snapshot, none of them worked well. Anway, If
sometimes, you solved the problem (or me) please email me what you did.
I would try stunnel, thanks for the solution.

Regards,

On Thu, Jul 16, 2009 at 8:17 PM, fredzy padzy <fredzyy at gmail.com> wrote:

> Already tried, and it work well'
>
> But i just need one tool to make everything work.
>
> Maybe other people did have those SSL trouble ?
>
> wonder how they solved it
>
> 2009/7/16 Charles Jennings <jennings.charles.e.security at gmail.com>
>
>  Not to knock syslog-ng tls - I also had problems - so I turned to this
>> solution:  syslog-ng over stunnel:
>>
>> http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp
>>
>> Regards.
>>
>>  ------------------------------
>> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
>> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *fredzy padzy
>> *Sent:* Thursday, July 16, 2009 10:28 AM
>> *To:* Syslog-ng users' and developers' mailing list
>> *Subject:* Re: [syslog-ng] problem configuring syslog-ng with TLS
>>
>> Hi Mohsen
>>
>> I'm having the same kind of problem with the simple authentication (IE not
>> mutual one)
>>
>> The error is the same one (and sometime turne into a tlsv1 alert unknow
>> ca), and i think syslog-ng client isn't able to read the cacert.pem file,
>> from the CA that signed the certificate sent by the syslog-ng server ...
>> quite strange moreover the rights and conf looks good
>>
>> Anyway, i'm surprised with your client conf :
>> Server config:
>> *destination d_tlsserver {
>>    tcp("192.168.13.39" port(1999)
>>      tls(ca_dir("/opt/syslog-ng/certs")
>>      peer_verify(required-trusted)
>>    ));
>> };*
>> Did you try without this line ?
>>
>> Also check your client logs, i've got some "unable to get local issuer
>> certificate" in my /var/adm/messages
>>
>> bye
>>
>> 2009/7/16 Mohsen Alimomeni <m.alimomeni at gmail.com>
>>
>>> Hi everyone,
>>> I want to configure syslog-ng with TLS, but there are problems in client
>>> connecting to server. This is the error in client side:
>>> {
>>> Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up;
>>> version='3.0.3'
>>> Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection established;
>>> fd='7', server='AF_INET(192.168.13.39:1999)', local='AF_INET(0.0.0.0:0)'
>>> Jul 16 17:04:10 momeni syslog-ng[31084]: Certificate validation failed;
>>> subject='emailAddress=momeni at amnafzar.com, CN=momeni, ..to the end! ',
>>> error='invalid CA certificate', depth='1'
>>> Jul 16 17:04:10 momeni syslog-ng[31084]: SSL error while writing stream;
>>> tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>> failed'
>>> Jul 16 17:04:10 momeni syslog-ng[31084]: I/O error occurred while
>>> writing; fd='7', error='Broken pipe (32)'
>>> Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection broken;
>>> fd='7', server='AF_INET(192.168.13.39:1999)', time_reopen='60'
>>> }
>>>
>>> To make sure my certificates are valid I run two commands:
>>> On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem -cert
>>> Client/clientcert.pem -key Client/clientkeye
>>> em -accept 8080
>>>
>>> On client: openssl s_client -connect 192.168.13.39:8080
>>> The result on the client is the server certificate and the last line is:
>>> {
>>> Verify return code: 19 (self signed certificate in certificate chain)
>>> }
>>>
>>> The client and server are both syslog-ng_3.0.2 (and 3.0.3) in ubuntu.
>>> These are the steps I configured the client and server:
>>> I used the script CA.sh to genereate X.509 certificates. I created a
>>> cacert using the command:
>>>        CA.sh -newca
>>> created the ca files :cacert.pem, ..
>>> created a request:
>>>        CA.sh -newreq
>>> rename the files created to syslog_cert.pem and syslog_ket.pem
>>> signed it with the ca:
>>>        CA.sh -sign
>>> Then I copied the cacert.pem file to client and created it's hash as
>>> explained in syslog-ng documentation.
>>>
>>> configuration files:
>>>
>>> Client config:
>>> *destination d_tlsserver {
>>>    tcp("192.168.13.39" port(1999)
>>>      tls(ca_dir("/opt/syslog-ng/certs")
>>>      peer_verify(required-trusted)
>>>    ));
>>> };*
>>>
>>>
>>> Server config:
>>> *source rezvani_tls {
>>>    tcp(ip(0.0.0.0) port(1999) max-connections(300)
>>>      tls(key_file("/opt/certs/newcerts/syslogs_key.pem")
>>>      cert_file("/opt/certs/newcerts/syslogs_cert.pem")
>>>      peer_verify(optional-untrusted)
>>>   ));
>>> };
>>> *
>>>
>>>
>>> --
>>> __ \ /_\\_-//_ Mohsen Alimomeni
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>


-- 
__ \ /_\\_-//_ Mohsen Alimomeni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090718/d1780700/attachment.htm

More information about the syslog-ng mailing list