I’ve configured syslog-ng 3.35.1 to use CRLs but things aren’t working as expected. This is what I’ve done :

 

1. Create a self-signed CA and use it to sign a server certificate. The server certificate has a CRL distribution point in it.
   
   
2. Revoke the server certificate. Generate the revoked CRL and put it on the syslog client under /etc/syslog-ng/crl in PEM format. There’s a <issuer hash>.r0 link to the CRL in this directory.
   
   
3. Configure ca-dir and crl-dir in the client’s syslog config. Configure the client to connect to the remote syslog server.

 

With this setup, I’ d expect the syslog client to reject the server certificate since it’s revoked, but that doesn’t happen. The TLS handshake and subsequent communication is successful.

 

Is there anything that I’m missing ? Any pointers will be appreciated. I can provide additional details of my setup if needed.

 

Thanks!

Shankar.