Hi David, The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a *subject* field that does not match with any of the patterns set in trusted-dn(). Unfortunately, I think that the first sentence in the documentation is a bit misleading: *Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.* If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt -> 7.4.4. Certificate Request: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list() <https://www.openssl.org/docs/man3.0/man3/SSL_get0_CA_list.html>:*SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.* Could you kindly confirm that this is what you are looking for? Cheers, Attila On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com> wrote:
Hi,
I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates.
I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0'
In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.
Here's the syslog-ng.conf entry for these sources:
source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com")) ); };
I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.
I figure I must be missing something obvious ;). Any ideas?
Here's my syslog-ng version info:
[logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off
Thanks, -David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq