Hi Peter,

 

Apologies, I should’ve updated earlier. I had missed something during my testing and it appeared to me that things weren’t working as expected.

 

I spent some more time on this, and things do work as expected in the 3.35.1 release.

 

Thank you,

Shankar.

 

From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Peter Czanik (pczanik)
Sent: 18 February 2025 11:29
To: syslog-ng@lists.balabit.hu
Cc: Pritam Pal Singh <singhp@infoblox.com>; M P Singh <msingh3@infoblox.com>; Vijaya Kumar Mukka <vmukka@infoblox.com>; Patrick McEvoy <pmcevoy@infoblox.com>; Kevin Sheehan <ksheehan@infoblox.com>; Michael Winslow <mwinslow@infoblox.com>
Subject: Re: [syslog-ng] CRL handling in syslog

 

Hi Shankar, Could you test this on the latest syslog-ng release? Note that I never used this syslog-ng feature. I'm asking you this, as 4.8.1 is where development happens, and where we can fix it, if there is a problem. Peter Peter Czanik (CzP)

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Hi Shankar,

 

Could you test this on the latest syslog-ng release? Note that I never used this syslog-ng feature. I'm asking you this, as 4.8.1 is where development happens, and where we can fix it, if there is a problem.

 

Peter

 

Peter Czanik (CzP) <peter.czanik@oneidentity.com>
Balabit (a OneIdentity company) / syslog-ng upstream
https://syslog-ng.com/community/
https://twitter.com/PCzanik

 

From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Shankar Pramanik <spramanik@infoblox.com>
Sent: Friday, February 14, 2025 08:04
To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu>
Cc: Pritam Pal Singh <singhp@infoblox.com>; M P Singh <msingh3@infoblox.com>; Vijaya Kumar Mukka <vmukka@infoblox.com>; Patrick McEvoy <pmcevoy@infoblox.com>; Kevin Sheehan <ksheehan@infoblox.com>; Michael Winslow <mwinslow@infoblox.com>
Subject: [syslog-ng] CRL handling in syslog

 

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

 

 

I’ve configured syslog-ng 3.35.1 to use CRLs but things aren’t working as expected. This is what I’ve done :

 

  1. Create a self-signed CA and use it to sign a server certificate. The server certificate has a CRL distribution point in it.
  2. Revoke the server certificate. Generate the revoked CRL and put it on the syslog client under /etc/syslog-ng/crl in PEM format. There’s a <issuer hash>.r0 link to the CRL in this directory.
  3. Configure ca-dir and crl-dir in the client’s syslog config. Configure the client to connect to the remote syslog server.

 

With this setup, I’ d expect the syslog client to reject the server certificate since it’s revoked, but that doesn’t happen. The TLS handshake and subsequent communication is successful.

 

Is there anything that I’m missing ? Any pointers will be appreciated. I can provide additional details of my setup if needed.

 

Thanks!

Shankar.