On 01/06/2011 03:05 PM, SZALAY Attila wrote:
Hi!
On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/
This setup works : server is getting client's logs, and cypherred on the wire.
When I replace peer_verify(optional-untrusted) by peer_verify(required-trusted), in order to get mutual authentication, I get this error :
The syslog-ng do not read all files from the CA dir. It search for CA certificates with the hash value of the subject. So you should rename the CA files (or create a symlink to it) to the mentioned hash value. (And the extension should be .0)
The hash value can be calculated with openssl x509 -in<filename> -noout -hash command.
Or you can create the symbolic link(s) with the c_rehash command if it available (this command is part of the openssl)
Thanks for your quick reply, I tried this already, and just tried again. To be sure I linked in /etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ : openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash 8fa7a206 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0 /etc/init.d/syslog-ng restart Stopping system logging: syslog-ng. Starting system logging: syslog-ng. On both client and server. Now I get : Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection established; fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)' Jan 6 15:11:51 client syslog-ng[11528]: Certificate validation failed; subject='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', issuer='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='self signed certificate in certificate chain', depth='1' Jan 6 15:11:51 client syslog-ng[11528]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jan 6 15:11:51 client syslog-ng[11528]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60' My question : How can I use a self-signed CA ? -- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40 -------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com -------------------------------------------------------------------------------- This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.