Hi, "Matthew Pounsett" <matt@conundrum.com> írta 2018-09-18 10:24-kor:
I assumed that it would be as simple as using the example configs from the manual [0], and anywhere a CA cert is involved just pick the appropriate one: store their CA on my server, and my CA on "their" server (the test VM). That didn't work.
Well. You may have missed something, because this is a very simple scenario which should work, just like you wrote.
I've backed down to trying to get this working using all certificates signed by my CA, but I can't seem to make that work either. The error timing I'm getting doesn't quite match similar errors I can see reported online.
Btw.: Is it a simple certificate signed by your CA, or is there an intermediate cert which is between your server's cert and your CA's cert? In that case, the .crt file for server side, should be contain the intermediate certs and the server's cert as well, in the right order.
Server config: source tls_source { network(ip(64.191.0.17) port(6514) transport("tls") tls( key-file("/etc/ssl/private/64.191.0.17.key") cert-file("/etc/ssl/certs/64.191.0.17.crt") ca-dir("/etc/ssl/certs") ) ); };
This part seems okay.
Client config: destination d_tls { network("64.191.0.17" port(6514) transport("tls") tls( ca-dir("/etc/ssl/certs") key-file("/etc/ssl/private/216.235.10.40.key") cert-file("/etc/ssl/certs/216.235.10.40.crt") ) ); };
Just as this part.
I have the CA cert stored as /etc/ssl/certs/server_ca.pem on both systems.
This might be the problem! SSL doesn't work like this! In your CA dir you have to give a specific name to the files, or at least point symlinks to them: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit...
Any idea what's wrong here? And, should I be able to get this to work using different CAs for the client and server certs?
I think the file name in your ca-dir will be the problem. Btw.: if you want to test tls settings divided from syslog-ng, then you can always use this two commands: openssl s_client -connect host:port -key keyfile.key -cert certfile.crt -CApath /your/ca/dir And to emulate the server side: openssl s_server -accept port -key keyfile.key -cert certfile.crt -CApath /your/ca/dir Cheers, Gyu