The SSL alert is sent by the client, thus the client didn't accept the certificate of the server. Can you paste that config as well? On Jun 24, 2015 11:44 AM, "Schulte, Klaus (Nokia - DE/Ulm)" < klaus.schulte@nokia.com> wrote:
Dear all,
I've this source settings for TLS:
source s_tcp_tls { network( transport("tls") ip(10.46.130.65) port(6514) tls( peer-verify("optional-untrusted") key-file("/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/etc/syslog-ng/cert.d/syslog-ng.cert") ) ); };
But when a client connects via TCP/TLS to the syslog-ng service..
In syslog-ng these messages are showing up:
syslog-ng starting up; version='3.5.6' Syslog connection accepted; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(10.46.130.65:6514)' SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca' I/O error occurred while reading; fd='12', error='Connection reset by peer (104)' Syslog connection closed; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(10.46.130.65:6514)' Closing log transport fd; fd='12'
I don't know why syslog-ng is proving the CA? As far as I know the configuration is a non-mutual authentication - so the CA shouldn't play a role in this - is this correct?
The client sends messages in RFC5424 format.
Any help is appriciated - I've no clue what's going wrong.
Best regards Klaus ____________________________________________
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq