<div dir="ltr">Thanks for reply,<br>I tried different configurations, (mutual, simple, remove peer_verify), Compiled the last development snapshot, none of them worked well. Anway, If sometimes, you solved the problem (or me) please email me what you did.<br>
I would try stunnel, thanks for the solution.<br><br>Regards,<br><br><div class="gmail_quote">On Thu, Jul 16, 2009 at 8:17 PM, fredzy padzy <span dir="ltr"><<a href="mailto:fredzyy@gmail.com">fredzyy@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Already tried, and it work well'<br><br>But i just need one tool to make everything work.<br>
<br>Maybe other people did have those SSL trouble ?<br><br>wonder how they solved it<br><br><div class="gmail_quote">2009/7/16 Charles Jennings <span dir="ltr"><<a href="mailto:jennings.charles.e.security@gmail.com" target="_blank">jennings.charles.e.security@gmail.com</a>></span><div>
<div></div><div class="h5"><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Not to knock syslog-ng tls - I also had problems - so I
turned to this solution: syslog-ng over stunnel:</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"><a href="http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp" target="_blank">http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp</a></font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Regards.</font></span></div><br>
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>
[mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>] <b>On Behalf Of </b>fredzy
padzy<br><b>Sent:</b> Thursday, July 16, 2009 10:28 AM<br><b>To:</b> Syslog-ng
users' and developers' mailing list<br><b>Subject:</b> Re: [syslog-ng] problem
configuring syslog-ng with TLS<br></font><br></div><div><div></div><div>
<div></div>Hi Mohsen<br><br>I'm having the same kind of problem with the simple
authentication (IE not mutual one)<br><br>The error is the same one (and
sometime turne into a tlsv1 alert unknow ca), and i think syslog-ng client isn't
able to read the cacert.pem file, from the CA that signed the certificate sent
by the syslog-ng server ... quite strange moreover the rights and conf looks
good<br><br>Anyway, i'm surprised with your client conf :<br>Server
config:<br><i style="font-family: courier new,monospace;">destination d_tlsserver
{<br> tcp("192.168.13.39" port(1999)<br>
tls(ca_dir("/opt/syslog-ng/certs")<br><b>
peer_verify(required-trusted)</b><br> ));<br>};</i><br>Did you try
without this line ?<br><br>Also check your client logs, i've got some "unable to
get local issuer certificate" in my /var/adm/messages<br><br>bye<br><br>
<div class="gmail_quote">2009/7/16 Mohsen Alimomeni <span dir="ltr"><<a href="mailto:m.alimomeni@gmail.com" target="_blank">m.alimomeni@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr">Hi everyone,<br>I want to configure syslog-ng with TLS, but there
are problems in client connecting to server. This is the error in client
side:<br>{<br>
<div dir="ltr">Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up;
version='3.0.3'<br>Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection
established; fd='7', server='AF_INET(192.168.13.39:1999)', local='AF_INET(<a href="http://0.0.0.0:0" target="_blank">0.0.0.0:0</a>)'<br>Jul 16 17:04:10
momeni syslog-ng[31084]: Certificate validation failed;
subject='emailAddress=<a href="mailto:momeni@amnafzar.com" target="_blank">momeni@amnafzar.com</a>, CN=momeni, ..to the end! ',
error='invalid CA certificate', depth='1'<br>Jul 16 17:04:10 momeni
syslog-ng[31084]: SSL error while writing stream; tls_error='SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'<br>Jul 16
17:04:10 momeni syslog-ng[31084]: I/O error occurred while writing; fd='7',
error='Broken pipe (32)'<br>Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog
connection broken; fd='7', server='AF_INET(192.168.13.39:1999)',
time_reopen='60'<br>}<br><br>To make sure my certificates are valid I run two
commands:<br>On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem
-cert Client/clientcert.pem -key Client/clientkeye<br>em -accept
8080<br><br>On client: openssl s_client -connect <a href="http://192.168.13.39:8080" target="_blank">192.168.13.39:8080</a><br>The
result on the client is the server certificate and the last line
is:<br>{<br>Verify return code: 19 (self signed certificate in certificate
chain)<br>}<br><br>The client and server are both syslog-ng_3.0.2 (and 3.0.3)
in ubuntu. These are the steps I configured the client and server:<br>I used
the script CA.sh to genereate X.509 certificates. I created a cacert using the
command:<br> CA.sh -newca<br>created the
ca files :cacert.pem, ..<br>created a
request:<br> CA.sh -newreq<br>rename the
files created to syslog_cert.pem and syslog_ket.pem<br>signed it with the
ca:<br> CA.sh -sign<br>Then I copied the
cacert.pem file to client and created it's hash as explained in syslog-ng
documentation.<br><br>configuration files:<br><br>Client config:<br><i style="font-family: courier new,monospace;">destination d_tlsserver
{<br> tcp("192.168.13.39" port(1999)<br>
tls(ca_dir("/opt/syslog-ng/certs")<br>
peer_verify(required-trusted)<br> ));<br>};</i><br><br><br>Server
config:<br><i style="font-family: courier new,monospace;">source rezvani_tls
{<br> tcp(ip(0.0.0.0) port(1999)
max-connections(300)<br>
tls(key_file("/opt/certs/newcerts/syslogs_key.pem")<br>
cert_file("/opt/certs/newcerts/syslogs_cert.pem")<br>
peer_verify(optional-untrusted)<br> ));<br>};<br></i></div><br clear="all"><br>-- <br>__ \ /_\\_-//_ Mohsen
Alimomeni<br><br></div><br>______________________________________________________________________________<br>Member
info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Documentation:
<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>FAQ:
<a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br><br><br></blockquote></div><br></div></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div></div></div><br>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br>__ \ /_\\_-//_ Mohsen Alimomeni<br><br>
</div>