<html><body bgcolor="#FFFFFF"><div><span>The verify works fine.</span><br><span></span><br><span>The client gives the following error now that things have been configured to get the verify to return OK</span><br><span></span><br><span></span><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">tss4s003 syslog-ng[9739]: Syslog connection accepted; fd='8', client='AF_INET(10.139.64.126:3766)', local='AF_INET(xx.xx.xx.xx:8514)'<o:p></o:p></span></p><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Dec 9 16:24:25 tss4s003 syslog-ng[9739]: Certificate validation failed; subject='OU=Class 3 Public Primary Certification Authority, O=VeriSign\, Inc., C=US', issuer='OU=Class 3 Public Primary Certification Authority, O=VeriSign\, Inc., C=US', error='invalid CA certificate', depth='2'<o:p></o:p></span></p><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Dec 9 16:24:25 tss4s003 syslog-ng[9739]: SSL error while reading stream; tls_error='SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned'<o:p></o:p></span></p><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Dec 9 16:24:25 tss4s003 syslog-ng[9739]: I/O error occurred while reading; fd='8', error='Connection reset by peer (131)'<o:p></o:p></span></p><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Dec 9 16:24:25 tss4s003 syslog-ng[9739]: Syslog connection closed; fd='8', client='AF_INET(10.139.64.126:3766)', local='AF_4:27:03 PM: Chris: INET(xx.xx.xx.xx:8514)'</span></p></span><span></span><br><span>Sent from my iPhone... So expect typos.</span><br><span></span><br><span>On Dec 6, 2009, at 10:24 AM, Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> wrote:</span><br><span></span><br><blockquote type="cite"><span>On Fri, 2009-12-04 at 11:20 -0500, Jimmy McDonald wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>I have syslog-ng installed and configured for mutual authentication.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>When the client was using a self signed cert it worked. The client now</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>has a verisign cert.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Imported the CA and an intermediate cert and the public cert so the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>chain is complete but the error on authentication says: invalid CA</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>certificate, depth=2</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I have tried putting the pub cert in cert.d with the ca and</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>intermediate in ca.d. I also tried putting the intermediate in cert.d</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I made a hash for the ca and the intermediate.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I'm not really sure what else to try. Any help would be greatly</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>appreciated.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Can you ensure that "openssl verify" validates your cert in case</span><br></blockquote><blockquote type="cite"><span>syslog-ng doesn't?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>-- </span><br></blockquote><blockquote type="cite"><span>Bazsi</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>______________________________________________________________________________</span><br></blockquote><span></span><br><blockquote type="cite"><span>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></a></span><br></blockquote><blockquote type="cite"><span>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng"><a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></a></span><br></blockquote><blockquote type="cite"><span>FAQ: <a href="http://www.campin.net/syslog-ng/faq.html"><a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></a></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote></div><div></div></body></html>