<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16850" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=223484115-16072009><FONT face=Arial
color=#0000ff size=2>Not to knock syslog-ng tls - I also had problems - so I
turned to this solution: syslog-ng over stunnel:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=223484115-16072009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=223484115-16072009><FONT face=Arial
color=#0000ff size=2><A
href="http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp">http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=223484115-16072009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=223484115-16072009><FONT face=Arial
color=#0000ff size=2>Regards.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>fredzy
padzy<BR><B>Sent:</B> Thursday, July 16, 2009 10:28 AM<BR><B>To:</B> Syslog-ng
users' and developers' mailing list<BR><B>Subject:</B> Re: [syslog-ng] problem
configuring syslog-ng with TLS<BR></FONT><BR></DIV>
<DIV></DIV>Hi Mohsen<BR><BR>I'm having the same kind of problem with the simple
authentication (IE not mutual one)<BR><BR>The error is the same one (and
sometime turne into a tlsv1 alert unknow ca), and i think syslog-ng client isn't
able to read the cacert.pem file, from the CA that signed the certificate sent
by the syslog-ng server ... quite strange moreover the rights and conf looks
good<BR><BR>Anyway, i'm surprised with your client conf :<BR>Server
config:<BR><I style="FONT-FAMILY: courier new,monospace">destination d_tlsserver
{<BR> tcp("192.168.13.39" port(1999)<BR>
tls(ca_dir("/opt/syslog-ng/certs")<BR><B>
peer_verify(required-trusted)</B><BR> ));<BR>};</I><BR>Did you try
without this line ?<BR><BR>Also check your client logs, i've got some "unable to
get local issuer certificate" in my /var/adm/messages<BR><BR>bye<BR><BR>
<DIV class=gmail_quote>2009/7/16 Mohsen Alimomeni <SPAN dir=ltr><<A
href="mailto:m.alimomeni@gmail.com">m.alimomeni@gmail.com</A>></SPAN><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV dir=ltr>Hi everyone,<BR>I want to configure syslog-ng with TLS, but there
are problems in client connecting to server. This is the error in client
side:<BR>{<BR>
<DIV dir=ltr>Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up;
version='3.0.3'<BR>Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection
established; fd='7', server='AF_INET(192.168.13.39:1999)', local='AF_INET(<A
href="http://0.0.0.0:0" target=_blank>0.0.0.0:0</A>)'<BR>Jul 16 17:04:10
momeni syslog-ng[31084]: Certificate validation failed;
subject='emailAddress=<A href="mailto:momeni@amnafzar.com"
target=_blank>momeni@amnafzar.com</A>, CN=momeni, ..to the end! ',
error='invalid CA certificate', depth='1'<BR>Jul 16 17:04:10 momeni
syslog-ng[31084]: SSL error while writing stream; tls_error='SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'<BR>Jul 16
17:04:10 momeni syslog-ng[31084]: I/O error occurred while writing; fd='7',
error='Broken pipe (32)'<BR>Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog
connection broken; fd='7', server='AF_INET(192.168.13.39:1999)',
time_reopen='60'<BR>}<BR><BR>To make sure my certificates are valid I run two
commands:<BR>On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem
-cert Client/clientcert.pem -key Client/clientkeye<BR>em -accept
8080<BR><BR>On client: openssl s_client -connect <A
href="http://192.168.13.39:8080" target=_blank>192.168.13.39:8080</A><BR>The
result on the client is the server certificate and the last line
is:<BR>{<BR>Verify return code: 19 (self signed certificate in certificate
chain)<BR>}<BR><BR>The client and server are both syslog-ng_3.0.2 (and 3.0.3)
in ubuntu. These are the steps I configured the client and server:<BR>I used
the script CA.sh to genereate X.509 certificates. I created a cacert using the
command:<BR> CA.sh -newca<BR>created the
ca files :cacert.pem, ..<BR>created a
request:<BR> CA.sh -newreq<BR>rename the
files created to syslog_cert.pem and syslog_ket.pem<BR>signed it with the
ca:<BR> CA.sh -sign<BR>Then I copied the
cacert.pem file to client and created it's hash as explained in syslog-ng
documentation.<BR><BR>configuration files:<BR><BR>Client config:<BR><I
style="FONT-FAMILY: courier new,monospace">destination d_tlsserver
{<BR> tcp("192.168.13.39" port(1999)<BR>
tls(ca_dir("/opt/syslog-ng/certs")<BR>
peer_verify(required-trusted)<BR> ));<BR>};</I><BR><BR><BR>Server
config:<BR><I style="FONT-FAMILY: courier new,monospace">source rezvani_tls
{<BR> tcp(ip(0.0.0.0) port(1999)
max-connections(300)<BR>
tls(key_file("/opt/certs/newcerts/syslogs_key.pem")<BR>
cert_file("/opt/certs/newcerts/syslogs_cert.pem")<BR>
peer_verify(optional-untrusted)<BR> ));<BR>};<BR></I></DIV><BR
clear=all><BR>-- <BR>__ \ /_\\_-//_ Mohsen
Alimomeni<BR><BR></DIV><BR>______________________________________________________________________________<BR>Member
info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>Documentation:
<A href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>FAQ:
<A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR><BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>