On Thu, 2009-06-04 at 16:35 +0200, Hahusseau, Thomas wrote:
Hi,
I’m using syslog-ng OSE with encrypted message transport thanks to TLS for few week. Now I try to activate the mutual authentication option. I have several issues with the TLS mutual authentication logs error :
Jun 4 16:01:31 desktop syslog-ng[26644]: SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca' Jun 4 16:01:31 desktop syslog-ng[26644]: I/O error occurred while reading; fd='14', error='Connection reset by peer (104)' Jun 4 16:01:31 desktop syslog-ng[26644]: Syslog connection closed; fd='14', client='AF_INET(10.254.1.172:43751)', local='AF_INET(0.0.0.0:9999)
Well, the error message 'tlsv1 alert unknown ca' means that the peer was not able to validate the CA that was used to sign this side's certificate. I don't know if the host "desktop" is your client or server. Try running: openssl verify -CApath /etc/pfc/credentials/CA <path-to-other-cert>
This is samples of config file:
Server :
source s_net_tls { tcp(port(9999) tls(key_file("/etc/pfc/credentials/Server/server.key") cert_file("/etc/pfc/credentials/Server/server.pem") ca_dir("/etc/pfc/credentials/CA/") # peer_verify(optional-untrusted) peer_verify(required-trusted) ) ); };
Client :
destination d_remote_server_tls { tcp("10.254.1.141" port(9999) tls(ca_dir("/etc/pfc/credentials/CA") key_file("/etc/pfc/credentials/Client/client.key") cert_file("/etc/pfc/credentials/Client/client.pem") peer_verify(required-trusted) # peer_verify(optional-untrusted) )); };
here is how I generated my CA certificate, server and client certificate :
openssl genrsa 1024 > CA/ca.key openssl req -new -x509 -days 365 -key CA/ca.key -out CA/ca.cert cat CA/ca.cert CA/ca.key > CA/ca.pem
you distribute the private key for your CA? that's not too wise and it shouldn't be needed at all for certificate validation. Also, is your CA key really a CA? I mean the basicConstraints extension should contain "CA:TRUE"
openssl genrsa 1024 > Client/client.key openssl req -new -key Client/client.key -out Client/client.csr openssl x509 -req -days 365 -in Client/client.csr -CA CA/ca.cert -CAkey CA/ca.key -set_serial 01 -out Client/client.cert cat Client/client.cert Client/client.key > Client/client.pem
openssl genrsa 1024 > Server/server.key openssl req -new -key Server/server.key -out Server/server.csr openssl x509 -req -days 365 -in Server/server.csr -CA CA/ca.cert -CAkey CA/ca.key -set_serial 01 -out Server/server.cert cat Server/server.cert Server/server.key > Server/server.pem
also syslog-ng looks for the key file and cert file in separate files, you don't need to copy them into the same file. e.g. cert_file should point to server.cert and key_file to server.key, you don't need a pem file.
Of course I done the link with
Openssl x509 –noout –hash –in ca.pem
Ln –s ca.pem XXXX
If anyone can help me, or give a step by step procedure that works. I also tried the procedure described in the “Syslog-nd admin guide” it doesn’t work too.
-- Bazsi