<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">

</head>

<body bgcolor="#ffffff" text="#000000">

Hi all,<br>

<br>

I am trying to set up a centralized syslog server, with encryption and

authentication over TCP.<br>

<br>

Communication is ok, encryption too, but I can't get the authentication

to work.<br>

<br>

Here is my actual configuration, reduced to what is needed :<br>

<br>

<u>Client :</u><br>

<font face="monospace">source s_src {<br>

&nbsp;&nbsp;&nbsp; unix-dgram("/dev/log");<br>

&nbsp;&nbsp;&nbsp; internal();<br>

&nbsp;&nbsp;&nbsp; file("/proc/kmsg" program_override("kernel"));<br>

};<br>

...<br>

destination d_net {<br>

&nbsp;&nbsp;&nbsp; tcp("192.168.0.42"<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port(4242)<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tls(<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ca_dir("/etc/rsyslog.d/certs/CA/")<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cert_file("/etc/rsyslog.d/certs/client.crt")<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key_file("/etc/rsyslog.d/certs/client.key")<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer_verify(optional-untrusted)<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; log_fifo_size(1000)<br>

&nbsp;&nbsp;&nbsp; );<br>

};<br>

...<br>

log { source(s_src); destination(d_net); };</font><br>

<br>

<u>Server :</u><br>

<font face="monospace">source s_src {<br>

&nbsp;&nbsp;&nbsp; # Local logging<br>

&nbsp;&nbsp;&nbsp; unix-dgram("/dev/log");<br>

&nbsp;&nbsp;&nbsp; file("/proc/kmsg" program_override("kernel"));<br>

&nbsp;&nbsp;&nbsp; # Remote logging<br>

&nbsp;&nbsp;&nbsp; tcp(<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port(4242)<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tls(<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ca_dir("/etc/syslog-ng/certs/CA/")<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cert_file("/etc/syslog-ng/certs/server.crt")<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key_file("/etc/syslog-ng/certs/server.key")<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer_verify(optional-untrusted)<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br>

&nbsp;&nbsp;&nbsp; );<br>

};</font><br>

<br>

The CA which was used to sign these certificates is world readable and

located in /etc/syslog-ng/certs/CA/<br>

<br>

This setup works : server is getting client's logs, and cypherred on

the wire.<br>

<br>

When I replace <i>peer_verify(optional-untrusted)</i> by <i>peer_verify(required-trusted)</i>,

in order to get mutual authentication, I get this error : <br>

<br>

<font face="monospace">==&gt; /var/log/error &lt;==<br>

Jan&nbsp; 6 14:42:09 client syslog-ng[11086]: Certificate validation failed;

subject='<a class="moz-txt-link-abbreviated" href="mailto:emailAddress=email@address.com">emailAddress=email@address.com</a>, CN=server.fqdn, OU=Org Unit,

O=Company, L=City, ST=Crountry, C=ID',

issuer='<a class="moz-txt-link-abbreviated" href="mailto:emailAddress=email@address.com">emailAddress=email@address.com</a>, CN=Root CA, OU=Org Unit,

O=Company Root CA, L=City, ST=Country, C=ID', error='unable to get

local issuer certificate', depth='0'<br>

Jan&nbsp; 6 14:42:09 client syslog-ng[11086]: SSL error while writing

stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate

verify failed'<br>

Jan&nbsp; 6 14:42:09 client syslog-ng[11086]: I/O error occurred while

writing; fd='9', error='Broken pipe (32)'<br>

<br>

==&gt; /var/log/messages &lt;==<br>

Jan&nbsp; 6 14:42:09 client syslog-ng[11086]: Syslog connection broken;

fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60'</font><br>

<br>

But my certificates are good :<br>

<br>

<font face="monospace">openssl verify -CAfile

/etc/syslog-ng/certs/CA/ca.crt -purpose any

/etc/syslog-ng/certs/client.crt<br>

/etc/syslog-ng/certs/client.crt: OK<br>

openssl verify -CAfile /etc/syslog-ng/certs/CA/ca.crt -purpose any

/etc/syslog-ng/certs/server.crt<br>

/etc/syslog-ng/certs/server.crt: OK</font><br>

<br>

More informations :<br>

<br>

root@[client|server]:~ #<br>

<font face="monospace">syslog-ng -V<br>

syslog-ng 3.1.3<br>

Installer-Version: 3.1.3<br>

Revision:

<a class="moz-txt-link-abbreviated" href="mailto:ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3">ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3</a><br>

Compile-Date: Nov 28 2010 12:29:35<br>

Enable-Threads: on<br>

Enable-Debug: off<br>

Enable-GProf: off<br>

Enable-Memtrace: off<br>

Enable-Sun-STREAMS: off<br>

Enable-Sun-Door: off<br>

Enable-IPv6: on<br>

Enable-Spoof-Source: on<br>

Enable-TCP-Wrapper: on<br>

Enable-SSL: on<br>

Enable-SQL: on<br>

Enable-Linux-Caps: on<br>

Enable-Pcre: on</font><br>

<br>

Does someone has any clue on what's going wrong ?<br>

<br>

<pre class="moz-signature" cols="72">-- 

Fabien Bagard

IT Department

tel + 33 (0)1 48 03 60 40

--------------------------------------------------------------------------------

Parrot SA

174, Quai de Jemmapes | 75010 Paris - France

tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08

<a class="moz-txt-link-freetext" href="http://www.parrot.com">http://www.parrot.com</a>

--------------------------------------------------------------------------------

This e-mail message and any attached document(s) are for the sole use of

the intended recipient(s)and may contain confidential and legally

privileged information.

Any unauthorized review, copy, use and/or disclosure is prohibited.

If you are not the intended recipient, please contact the sender by

reply e-mail and destroy all copies of the original.

</pre>

</body>

</html>