<p dir="ltr">Well, your device is not trusting syslog-ng then. You have to configure it there or you a certificate authority that it trusts to issue the keys.</p>
<div class="gmail_quote">On Jun 25, 2015 8:26 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <<a href="mailto:klaus.schulte@nokia.com">klaus.schulte@nokia.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The client is an embedded device – rsyslog is running on it.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">With a certificate created from here:</span>
<a href="http://www.selfsignedcertificate.com/" target="_blank">http://www.selfsignedcertificate.com/</a>
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">the TLS connection from device to syslog-ng works fine.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">With a certificate created with INSTA-Server (not self signed) I see the mentioned problem.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Best regards<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> Klaus<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">____________________________________________<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">find my openPGP key here:</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span><i><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="https://keyserver" target="_blank">https://keyserver</a>.<b>pgp</b>.com/</span></i><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]
<b>On Behalf Of </b>ext Scheidler, Balázs<br>
<b>Sent:</b> Thursday, June 25, 2015 7:46<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<u></u><u></u></span></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p>The SSL alert is sent by the client, thus the client didn't accept the certificate of the server. Can you paste that config as well?<u></u><u></u></p>
<div>
<p class="MsoNormal">On Jun 24, 2015 11:44 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <<a href="mailto:klaus.schulte@nokia.com" target="_blank">klaus.schulte@nokia.com</a>> wrote:<u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Dear all,<br>
<br>
I've this source settings for TLS:<br>
<br>
source s_tcp_tls {<br>
network( transport("tls")<br>
ip(10.46.130.65) port(6514)<br>
tls(<br>
peer-verify("optional-untrusted")<br>
key-file("/etc/syslog-ng/key.d/syslog-ng.key")<br>
cert-file("/etc/syslog-ng/cert.d/syslog-ng.cert")<br>
)<br>
);<br>
};<br>
<br>
But when a client connects via TCP/TLS to the syslog-ng service..<br>
<br>
In syslog-ng these messages are showing up:<br>
<br>
syslog-ng starting up; version='3.5.6'<br>
Syslog connection accepted; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(<a href="http://10.46.130.65:6514" target="_blank">10.46.130.65:6514</a>)'<br>
SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'<br>
I/O error occurred while reading; fd='12', error='Connection reset by peer (104)'<br>
Syslog connection closed; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(<a href="http://10.46.130.65:6514" target="_blank">10.46.130.65:6514</a>)'<br>
Closing log transport fd; fd='12'<br>
<br>
I don't know why syslog-ng is proving the CA?<br>
As far as I know the configuration is a non-mutual authentication - so the CA shouldn't play a role in this - is this correct?<br>
<br>
The client sends messages in RFC5424 format.<br>
<br>
Any help is appriciated - I've no clue what's going wrong.<br>
<br>
Best regards<br>
Klaus<br>
____________________________________________<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><u></u><u></u></p>
</div>
</div>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>