
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<meta name="Generator" content="Microsoft Word 15 (filtered medium)">


<style><!--


/* Font Definitions */


@font-face


        {font-family:"Cambria Math";


        panose-1:2 4 5 3 5 4 6 3 2 4;}


@font-face


        {font-family:Calibri;


        panose-1:2 15 5 2 2 2 4 3 2 4;}


@font-face


        {font-family:Consolas;


        panose-1:2 11 6 9 2 2 4 3 2 4;}


/* Style Definitions */


p.MsoNormal, li.MsoNormal, div.MsoNormal


        {margin:0cm;


        font-size:12.0pt;


        font-family:"Times New Roman",serif;}


a:link, span.MsoHyperlink


        {mso-style-priority:99;


        color:blue;


        text-decoration:underline;}


pre


        {mso-style-priority:99;


        mso-style-link:"HTML Preformatted Char";


        margin:0cm;


        font-size:10.0pt;


        font-family:"Courier New";}


span.HTMLPreformattedChar


        {mso-style-name:"HTML Preformatted Char";


        mso-style-priority:99;


        mso-style-link:"HTML Preformatted";


        font-family:"Consolas",serif;}


span.EmailStyle21


        {mso-style-type:personal-reply;


        font-family:"Calibri",sans-serif;


        color:windowtext;}


.MsoChpDefault


        {mso-style-type:export-only;


        font-size:10.0pt;}


@page WordSection1


        {size:612.0pt 792.0pt;


        margin:72.0pt 72.0pt 72.0pt 72.0pt;}


div.WordSection1


        {page:WordSection1;}


--></style><!--[if gte mso 9]><xml>


<o:shapedefaults v:ext="edit" spidmax="1026" />


</xml><![endif]--><!--[if gte mso 9]><xml>


<o:shapelayout v:ext="edit">


<o:idmap v:ext="edit" data="1" />


</o:shapelayout></xml><![endif]-->


</head>


<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">


<div class="WordSection1">


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hi Attila,<o:p></o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>


<p class="MsoNormal" style="margin-left:36.0pt"><i><span style="color:gray">The trusted-dn() option is used for an additional verification step to reject clients/servers<o:p></o:p></span></i></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx.<o:p></o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>


<p class="MsoNormal" style="margin-left:36.0pt"><i><span style="color:gray">Could you kindly confirm that this is what you are looking for?<o:p></o:p></span></i></p>


<p class="MsoNormal"><o:p> </o:p></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation


 (see <a href="https://httpd.apache.org/docs/2.4/mod/mod_ssl.html">https://httpd.apache.org/docs/2.4/mod/mod_ssl.html</a>). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have


 many to choose from, each possibly signed by different CAs).<o:p></o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thanks,<o:p></o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">-David<o:p></o:p></span></p>


<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>


<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">


<div>


<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">


<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng <syslog-ng-bounces@lists.balabit.hu>


<b>On Behalf Of </b>Attila Szakács<br>


<b>Sent:</b> Thursday, March 30, 2023 3:12 AM<br>


<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>


<b>Subject:</b> Re: [syslog-ng] TLS "trusted-dn" Question<o:p></o:p></span></p>


</div>


</div>


<p class="MsoNormal"><o:p> </o:p></p>


<div>


<p class="MsoNormal">Hi David, <o:p></o:p></p>


<div>


<p class="MsoNormal"><o:p> </o:p></p>


</div>


<div>


<p class="MsoNormal">The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a <b>subject</b> field that does not match with any of the patterns set in trusted-dn().<o:p></o:p></p>


</div>


<div>


<p class="MsoNormal"><o:p> </o:p></p>


</div>


<div>


<p class="MsoNormal">Unfortunately, I think that the first sentence in the documentation is a bit misleading:<o:p></o:p></p>


</div>


<div>


<p class="MsoNormal"><i>Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State,


 C=*") will accept only certificates issued for the Example Inc organization in Some-State state.</i><o:p></o:p></p>


</div>


<div>


<p class="MsoNormal"><o:p> </o:p></p>


</div>


<div>


<p class="MsoNormal">If I understand correctly, what you would like to achieve is defined in <a href="https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wL9mYnHT0wDAWeUPj1DCRdF1DcwQUpguUech2vhKb7s%3D&reserved=0">https://www.ietf.org/rfc/rfc5246.txt</a>


 -> <span style="color:black">7.4.4. Certificate Request:</span><o:p></o:p></p>


</div>


<div>


<pre style="white-space:pre-wrap"><span style="color:black">   certificate_authorities<o:p></o:p></span></pre>


<pre><span style="color:black">      A list of the distinguished names [X501] of acceptable<o:p></o:p></span></pre>


<pre><span style="color:black">      certificate_authorities, represented in DER-encoded format.  These<o:p></o:p></span></pre>


<pre><span style="color:black">      distinguished names may specify a desired distinguished name for a<o:p></o:p></span></pre>


<pre><span style="color:black">      root CA or for a subordinate CA; thus, this message can be used to<o:p></o:p></span></pre>


<pre><span style="color:black">      describe known roots as well as a desired authorization space.  If<o:p></o:p></span></pre>


<pre><span style="color:black">      the certificate_authorities list is empty, then the client MAY<o:p></o:p></span></pre>


<pre><span style="color:black">      send any certificate of the appropriate ClientCertificateType,<o:p></o:p></span></pre>


<pre><span style="color:black">      unless there is some external arrangement to the contrary.<o:p></o:p></span></pre>


<pre style="white-space:pre-wrap"><span style="color:black"><o:p> </o:p></span></pre>


<pre style="white-space:pre-wrap"><span style="font-family:"Arial",sans-serif;color:#222222">This is not implemented in syslog-ng, yet, but it could be done easily with </span><span style="font-family:"Arial",sans-serif;color:black"><a href="https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v1Hbhcgm4Bf2zw0AYF6%2F177xXLXxjkU5HhwLPCBfDS0%3D&reserved=0">SSL_set_client_CA_list()</a>:<o:p></o:p></span></pre>


<pre><i><span style="font-family:"Arial",sans-serif;color:black">SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.</span></i><span style="color:black"><o:p></o:p></span></pre>


</div>


<div>


<p class="MsoNormal"><span style="color:black">Could you kindly confirm that this is what you are looking for?</span><o:p></o:p></p>


</div>


<div>


<p class="MsoNormal"><span style="color:black"><br>


<br>


</span><o:p></o:p></p>


</div>


<div>


<p class="MsoNormal"><span style="color:black">Cheers,</span><o:p></o:p></p>


</div>


<div>


<p class="MsoNormal"><span style="color:black">Attila</span><o:p></o:p></p>


</div>


</div>


<p class="MsoNormal"><o:p> </o:p></p>


<div>


<div>


<p class="MsoNormal">On Wed, Mar 29, 2023 at 8:42 PM David Hauck <<a href="mailto:davidh@netacquire.com">davidh@netacquire.com</a>> wrote:<o:p></o:p></p>


</div>


<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">


<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>


<br>


I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that


 clients can properly condition their supplied client certificates. <br>


<br>


I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):<br>


<br>


TLSv1.2 Record Layer: Handshake Protocol: Certificate Request<br>


    Content Type: Handshake (22)<br>


    Version: TLS 1.2 (0x0303)<br>


    Length: 58<br>


    Handshake Protocol: Certificate Request<br>


        Handshake Type: Certificate Request (13)<br>


        Length: 54<br>


        Certificate types count: 3<br>


        Certificate types (3 types)<br>


        Signature Hash Algorithms Length: 46<br>


        Signature Hash Algorithms (23 algorithms)<br>


        Distinguished Names Length: 0                          <----- always '0'<br>


<br>


In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.<br>


<br>


Here's the syslog-ng.conf entry for these sources:<br>


<br>


source s_515_tls {<br>


   network( transport(tls) port(515) ip-protocol(6)<br>


      tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer")<br>


         peer-verify(required-trusted) trusted-dn("CN=*.<a href="https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=X5NIUWuYD5F4GQ6WbnW%2F5HMrjJFkeg%2Fh4ma9xUMdN8w%3D&reserved=0" target="_blank">netacquire.com</a>"))


 ); <br>


};<br>


<br>


I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)'


 results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.<br>


<br>


I figure I must be missing something obvious ;). Any ideas?<br>


<br>


Here's my syslog-ng version info:<br>


<br>


[logdest:~]# syslog-ng --version<br>


syslog-ng 3 (3.31.2)<br>


Config version: 3.29<br>


Installer-Version: 3.31.2<br>


Revision:<br>


Compile-Date: Nov  9 2021 12:52:59<br>


Module-Directory: /usr/lib/syslog-ng<br>


Module-Path: /usr/lib/syslog-ng<br>


Include-Path: /usr/share/syslog-ng/include<br>


Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser<br>


Enable-Debug: off<br>


Enable-GProf: off<br>


Enable-Memtrace: off<br>


Enable-IPv6: on<br>


Enable-Spoof-Source: off<br>


Enable-TCP-Wrapper: on<br>


Enable-Linux-Caps: on<br>


Enable-Systemd: off<br>


<br>


Thanks,<br>


-David<br>


______________________________________________________________________________<br>


Member info: <a href="https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E48rxdUkpoLsBgppz2Sm1%2F%2BikzdO8Q%2BxCt0KaghFig4%3D&reserved=0" target="_blank">


https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>


Documentation: <a href="https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=l2AI1TflzfBzXX6Yym2FfkuK8BfCrj4PCTAXTcF0hYg%3D&reserved=0" target="_blank">


http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>


FAQ: <a href="https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ccq%2F%2BRAuUwczH5Z4v%2FA9whYHcuXu2A5Bz39D64%2Bc5Hw%3D&reserved=0" target="_blank">


http://www.balabit.com/wiki/syslog-ng-faq</a><o:p></o:p></p>


</blockquote>


</div>


<p style="background:#BFFF00"><b><span style="color:black">External Email Warning!</span></b><span style="color:black"> Use caution before clicking links or opening attachments.</span><o:p></o:p></p>


</div>


</div>


</body>


</html>