On Thu, 2011-01-06 at 16:03 +0100, Fabien Bagard wrote:
On 01/06/2011 03:05 PM, SZALAY Attila wrote:
Hi!
On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/
This setup works : server is getting client's logs, and cypherred on the wire.
When I replace peer_verify(optional-untrusted) by peer_verify(required-trusted), in order to get mutual authentication, I get this error :
The syslog-ng do not read all files from the CA dir. It search for CA certificates with the hash value of the subject. So you should rename the CA files (or create a symlink to it) to the mentioned hash value. (And the extension should be .0)
The hash value can be calculated with openssl x509 -in<filename> -noout -hash command.
Or you can create the symbolic link(s) with the c_rehash command if it available (this command is part of the openssl)
Thanks for your quick reply,
I tried this already, and just tried again. To be sure I linked in /etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ :
openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash 8fa7a206 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0 /etc/init.d/syslog-ng restart Stopping system logging: syslog-ng. Starting system logging: syslog-ng.
On both client and server. Now I get :
Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection established; fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)'
Jan 6 15:11:51 client syslog-ng[11528]: Certificate validation failed; subject='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', issuer='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='self signed certificate in certificate chain', depth='1'
Jan 6 15:11:51 client syslog-ng[11528]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
Jan 6 15:11:51 client syslog-ng[11528]: I/O error occurred while writing; fd='9', error='Broken pipe (32)'
Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60'
My question : How can I use a self-signed CA ?
It's the whole point in certificate validation to use self-signed CA certificates. (after all, a centrally trusted CA is self-signed too). Try validating that your directory is correct usign "openssl verify", once that validates the cert, syslog-ng should too. -- Bazsi