Hi,

 

I’m using syslog-ng OSE with encrypted message transport thanks to TLS for few week. Now I try to activate the mutual authentication option. I have several issues with the TLS mutual authentication logs error :

Jun  4 16:01:31 desktop syslog-ng[26644]: SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
Jun  4 16:01:31 desktop syslog-ng[26644]: I/O error occurred while reading; fd='14', error='Connection reset by peer (104)'
Jun  4 16:01:31 desktop syslog-ng[26644]: Syslog connection closed; fd='14', client='AF_INET(10.254.1.172:43751)', local='AF_INET(0.0.0.0:9999)

 

This is samples of config file:

Server :

source s_net_tls {
    tcp(port(9999)
    tls(key_file("/etc/pfc/credentials/Server/server.key")
    cert_file("/etc/pfc/credentials/Server/server.pem")
    ca_dir("/etc/pfc/credentials/CA/")
  #  peer_verify(optional-untrusted)
    peer_verify(required-trusted)
) );
};

 

Client :

destination d_remote_server_tls {
    tcp("10.254.1.141" port(9999)
    tls(ca_dir("/etc/pfc/credentials/CA")
    key_file("/etc/pfc/credentials/Client/client.key")
    cert_file("/etc/pfc/credentials/Client/client.pem")
    peer_verify(required-trusted)
#    peer_verify(optional-untrusted)
));
};

 

here is how I generated my CA certificate, server and client certificate :

openssl genrsa 1024 > CA/ca.key
openssl req -new -x509 -days 365 -key CA/ca.key -out CA/ca.cert
cat CA/ca.cert CA/ca.key > CA/ca.pem

openssl genrsa 1024 > Client/client.key
openssl req -new -key Client/client.key -out Client/client.csr
openssl x509 -req -days 365 -in Client/client.csr -CA CA/ca.cert -CAkey CA/ca.key -set_serial 01 -out Client/client.cert
cat Client/client.cert Client/client.key > Client/client.pem

openssl genrsa 1024 > Server/server.key
openssl req -new -key Server/server.key -out Server/server.csr
openssl x509 -req -days 365 -in Server/server.csr -CA CA/ca.cert -CAkey CA/ca.key -set_serial 01 -out Server/server.cert
cat Server/server.cert Server/server.key > Server/server.pem

 

Of course I done the link with

Openssl x509 –noout –hash –in ca.pem

Ln –s ca.pem XXXX

 

If anyone can help me, or give a step by step procedure that works. I also tried the procedure described in the “Syslog-nd admin guide” it doesn’t work too.

 

Regards

Thomas

-------------------

Thomas Hahusseau

Apprenti ingénieur

EADS - DS / ENST Bretagne