Hello,

Have you tried syslog-ng start in forward-mode and verbose (-Fdve)? In that case after the first message you can check the SSL error message during the authentication. It could show you the problem with the certificates.

Br,
Laci

On 6 March 2015 at 01:27, Michael Starks <syslog-ng-list@michaelstarks.com> wrote:
I am trying to get mutual authentication working between a syslog-ng
server and an Rsyslog client, using startssl.com issued certificates.
The client does properly authenticate the server, but syslog-ng does not
recognize the client as trusted.

Server info:
------------

# cat /etc/redhat-release
CentOS release 6.6 (Final)

# /usr/local/syslog-ng/sbin/syslog-ng --version
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision:
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: Aug 18 2013 22:16:35
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off

source s_network_secure {
        tcp(flags(no-multi-line) ip(0.0.0.0) port(6514)
        tls( key-file("/usr/local/syslog-ng/etc/cert.d/cert.key")
        cert-file("/usr/local/syslog-ng/etc/cert.d/cert.pem")
        ca_dir("/usr/local/syslog-ng/etc/cert.d")
        peer_verify(required-untrusted)) );
};

And of course this is defined in a log statement.

Here is the directory. Note that the symbolic link of the hash has been
created.

# ll /usr/local/syslog-ng/etc/cert.d/
total 204
lrwxrwxrwx. 1 root root     13 Mar  3 13:51 876f1e28.0 -> ca-bundle.pem
-rw-r--r--. 1 root root 195587 Mar  3 13:08 ca-bundle.pem
-r--------. 1 root root   1679 Feb 28 11:21 cert.key
-r--------. 1 root root   2260 Feb 28 11:50 cert.pem
-rw-r--r--. 1 root root   2281 Mar  3 13:58 client.key

required-untrusted works, but required-trusted doesn't. So I figured
maybe it was an SSL issue with the authority, but it seems to validate OK.

# openssl verify -CAfile 876f1e28.0 -verbose client.key
client.key: OK

Client info:
------------

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

# rsyslogd -v
rsyslogd 7.4.4, compiled with:
        FEATURE_REGEXP:                         Yes
        FEATURE_LARGEFILE:                      No
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes

See http://www.rsyslog.com for more information.

I suppose there's no additional client info needed since I know it is
presenting the certificate--the issue seems to be that the syslog-ng
server simply doesn't trust it.

All suggestions appreciated.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq