Hi all, I am currently setting up a remote logging facility for a customer who requires encryption and mutual authentication. After having run Syslog NG over Stunnel for several years, I am looking into the option to do the same withot stunnel, by using Syslog NG with the TLS option. My current version is 3.2.2, installed from the binary provided on the Syslog NG web site, on CentOS 5.5. My setup on the server side (stripped to the minimum): source s_remote { tcp( ip( 192.168.42.184 ) port( 601 ) tls( key_file("/opt/syslog-ng/etc/ssl/server_key.pem") cert_file("/opt/syslog-ng/etc/ssl/server_crt.pem") ca_dir( "/opt/syslog-ng/etc/ssl" ) peer_verify( required-trusted ) ) ); }; destination d_remote { file( "/var/log/remote" owner(root) group(root) perm(0600) ); }; log { source(s_remote); destination(d_remote); }; On the client side: source s_local { internal(); unix-stream( "/dev/log" ); file( "/proc/kmsg" ); }; destination d_remote { tcp( "192.168.42.184" port( 601 ) tls( key_file("/opt/syslog-ng/etc/ssl/client1_key.pem") cert_file("/opt/syslog-ng/etc/ssl/client1_crt.pem") ca_dir( "/opt/syslog-ng/etc/ssl" ) ) ); }; log { source(s_local); destination(d_remote); }; With the appropriate and valid client cert, it works perfrctly: [root@server1 ssl]# openssl x509 -noout -text < client1_crt.pem Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: O=xxx, OU=Client 1/emailAddress=xxx, L=xxx, ST=xxx, C=xx, CN=xxx Validity Not Before: Mar 8 15:53:24 2011 GMT Not After : Mar 7 15:53:24 2014 GMT Subject: C=xx, ST=xx, O=xx, OU=xx, CN=client1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ... However, I copied over the cert of another client machine to client1, reconfigure Syslog NG to use it, and it works as well, though IMHO it shouldn't: [root@server1 ssl]# openssl x509 -noout -text < client2_crt.pem Certificate: Data: Version: 1 (0x0) Serial Number: 3 (0x3) Signature Algorithm: sha256WithRSAEncryption Issuer: O=xxx, OU=Client 2/emailAddress=xxx, L=xxx, ST=xxx, C=xx, CN=xxx Validity Not Before: Mar 8 15:54:35 2011 GMT Not After : Mar 7 15:54:35 2014 GMT Subject: C=xx, ST=xxx, O=xxx, OU=Client 2, CN=client2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ... Swapping certificates (client2's instead of server's in this case) on the server breaks trust (as expected): Mar 8 18:19:45 client1 syslog-ng[2991]: Syslog connection established; fd='10', server='AF_INET(192.168.42.184:601)', local='AF_INET(0.0.0.0:0)' Mar 8 18:20:13 client1 syslog-ng[2991]: Certificate subject does not match configured hostname; hostname='server', certificate='client2' Mar 8 18:20:13 client1 syslog-ng[2991]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Mar 8 18:20:13 client1 syslog-ng[2991]: I/O error occurred while writing; fd='10', error='Broken pipe (32)' Doing the same on the client, however, does not. The Syslog NG server does not seem to validate the CN. Is this expected behaviour or a bug? Best regards, Peter.