<div dir="ltr">Hi David,<div><br></div><div>The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a <b>subject</b> field that does not match with any of the patterns set in trusted-dn().</div><div><br></div><div>Unfortunately, I think that the first sentence in the documentation is a bit misleading:</div><div><i>Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.</i><br></div><div><i><br></i></div><div>If I understand correctly, what you would like to achieve is defined in <a href="https://www.ietf.org/rfc/rfc5246.txt">https://www.ietf.org/rfc/rfc5246.txt</a> -> <span style="color:rgb(0,0,0);white-space:pre-wrap">7.4.4. Certificate Request:</span></div><div><pre style="color:rgb(0,0,0);white-space:pre-wrap"> certificate_authorities
A list of the distinguished names [X501] of acceptable
certificate_authorities, represented in DER-encoded format. These
distinguished names may specify a desired distinguished name for a
root CA or for a subordinate CA; thus, this message can be used to
describe known roots as well as a desired authorization space. If
the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriate ClientCertificateType,
unless there is some external arrangement to the contrary.</pre><pre style="color:rgb(0,0,0);white-space:pre-wrap"><br></pre><pre style="color:rgb(0,0,0);white-space:pre-wrap"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;white-space:normal">This is not implemented in syslog-ng, yet, but it could be done easily with</span><font face="arial, sans-serif"><span style="color:rgb(34,34,34);white-space:normal"> </span><a href="https://www.openssl.org/docs/man3.0/man3/SSL_get0_CA_list.html">SSL_set_client_CA_list()</a>:
<i>SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.</i></font></pre></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">Could you kindly confirm that this is what you are looking for?</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br></span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">Cheers,</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">Attila</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 29, 2023 at 8:42 PM David Hauck <<a href="mailto:davidh@netacquire.com">davidh@netacquire.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates. <br>
<br>
I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):<br>
<br>
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request<br>
Content Type: Handshake (22)<br>
Version: TLS 1.2 (0x0303)<br>
Length: 58<br>
Handshake Protocol: Certificate Request<br>
Handshake Type: Certificate Request (13)<br>
Length: 54<br>
Certificate types count: 3<br>
Certificate types (3 types)<br>
Signature Hash Algorithms Length: 46<br>
Signature Hash Algorithms (23 algorithms)<br>
Distinguished Names Length: 0 <----- always '0'<br>
<br>
In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.<br>
<br>
Here's the syslog-ng.conf entry for these sources:<br>
<br>
source s_515_tls {<br>
network( transport(tls) port(515) ip-protocol(6)<br>
tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer")<br>
peer-verify(required-trusted) trusted-dn("CN=*.<a href="http://netacquire.com" rel="noreferrer" target="_blank">netacquire.com</a>")) ); <br>
};<br>
<br>
I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.<br>
<br>
I figure I must be missing something obvious ;). Any ideas?<br>
<br>
Here's my syslog-ng version info:<br>
<br>
[logdest:~]# syslog-ng --version<br>
syslog-ng 3 (3.31.2)<br>
Config version: 3.29<br>
Installer-Version: 3.31.2<br>
Revision:<br>
Compile-Date: Nov 9 2021 12:52:59<br>
Module-Directory: /usr/lib/syslog-ng<br>
Module-Path: /usr/lib/syslog-ng<br>
Include-Path: /usr/share/syslog-ng/include<br>
Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: off<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: on<br>
Enable-Systemd: off<br>
<br>
Thanks,<br>
-David<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>