Hi Shankar,

Could you test this on the latest syslog-ng release? Note that I never used this syslog-ng feature. I'm asking you this, as 4.8.1 is where development happens, and where we can fix it, if there is a problem.

Peter

Peter Czanik (CzP) <peter.czanik@oneidentity.com>
Balabit (a OneIdentity company) / syslog-ng upstream
https://syslog-ng.com/community/
https://twitter.com/PCzanik

From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Shankar Pramanik <spramanik@infoblox.com>
Sent: Friday, February 14, 2025 08:04
To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu>
Cc: Pritam Pal Singh <singhp@infoblox.com>; M P Singh <msingh3@infoblox.com>; Vijaya Kumar Mukka <vmukka@infoblox.com>; Patrick McEvoy <pmcevoy@infoblox.com>; Kevin Sheehan <ksheehan@infoblox.com>; Michael Winslow <mwinslow@infoblox.com>
Subject: [syslog-ng] CRL handling in syslog
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

 

I’ve configured syslog-ng 3.35.1 to use CRLs but things aren’t working as expected. This is what I’ve done :

 

  1. Create a self-signed CA and use it to sign a server certificate. The server certificate has a CRL distribution point in it.

  2. Revoke the server certificate. Generate the revoked CRL and put it on the syslog client under /etc/syslog-ng/crl in PEM format. There’s a <issuer hash>.r0 link to the CRL in this directory.

  3. Configure ca-dir and crl-dir in the client’s syslog config. Configure the client to connect to the remote syslog server.

 

With this setup, I’ d expect the syslog client to reject the server certificate since it’s revoked, but that doesn’t happen. The TLS handshake and subsequent communication is successful.

 

Is there anything that I’m missing ? Any pointers will be appreciated. I can provide additional details of my setup if needed.

 

Thanks!

Shankar.