On Thu, 2009-07-16 at 17:18 +0430, Mohsen Alimomeni wrote:
Hi everyone, I want to configure syslog-ng with TLS, but there are problems in client connecting to server. This is the error in client side: { Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up; version='3.0.3' Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection established; fd='7', server='AF_INET(192.168.13.39:1999)', local='AF_INET(0.0.0.0:0)' Jul 16 17:04:10 momeni syslog-ng[31084]: Certificate validation failed; subject='emailAddress=momeni@amnafzar.com, CN=momeni, ..to the end! ', error='invalid CA certificate', depth='1' Jul 16 17:04:10 momeni syslog-ng[31084]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jul 16 17:04:10 momeni syslog-ng[31084]: I/O error occurred while writing; fd='7', error='Broken pipe (32)' Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection broken; fd='7', server='AF_INET(192.168.13.39:1999)', time_reopen='60' }
To make sure my certificates are valid I run two commands: On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem -cert Client/clientcert.pem -key Client/clientkeye em -accept 8080
does your CA certificate contain basicConstraints:CA==TRUE as an extension? if it doesn't syslog-ng will not accept it. if you enable "--debug" command line option you can have this debug message for instance: msg_debug("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL); syslog-ng also validates the DN of the certificate subject, e.g. the CN must contain the same name as you specify as a destination in the client config.
-- Bazsi