Thanks for reply, I tried different configurations, (mutual, simple, remove peer_verify), Compiled the last development snapshot, none of them worked well. Anway, If sometimes, you solved the problem (or me) please email me what you did. I would try stunnel, thanks for the solution. Regards, On Thu, Jul 16, 2009 at 8:17 PM, fredzy padzy <fredzyy@gmail.com> wrote:
Already tried, and it work well'
But i just need one tool to make everything work.
Maybe other people did have those SSL trouble ?
wonder how they solved it
2009/7/16 Charles Jennings <jennings.charles.e.security@gmail.com>
Not to knock syslog-ng tls - I also had problems - so I turned to this
solution: syslog-ng over stunnel:
http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp
Regards.
------------------------------ *From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *fredzy padzy *Sent:* Thursday, July 16, 2009 10:28 AM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] problem configuring syslog-ng with TLS
Hi Mohsen
I'm having the same kind of problem with the simple authentication (IE not mutual one)
The error is the same one (and sometime turne into a tlsv1 alert unknow ca), and i think syslog-ng client isn't able to read the cacert.pem file, from the CA that signed the certificate sent by the syslog-ng server ... quite strange moreover the rights and conf looks good
Anyway, i'm surprised with your client conf : Server config: *destination d_tlsserver { tcp("192.168.13.39" port(1999) tls(ca_dir("/opt/syslog-ng/certs") peer_verify(required-trusted) )); };* Did you try without this line ?
Also check your client logs, i've got some "unable to get local issuer certificate" in my /var/adm/messages
bye
2009/7/16 Mohsen Alimomeni <m.alimomeni@gmail.com>
Hi everyone, I want to configure syslog-ng with TLS, but there are problems in client connecting to server. This is the error in client side: { Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up; version='3.0.3' Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection established; fd='7', server='AF_INET(192.168.13.39:1999)', local='AF_INET(0.0.0.0:0)' Jul 16 17:04:10 momeni syslog-ng[31084]: Certificate validation failed; subject='emailAddress=momeni@amnafzar.com, CN=momeni, ..to the end! ', error='invalid CA certificate', depth='1' Jul 16 17:04:10 momeni syslog-ng[31084]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jul 16 17:04:10 momeni syslog-ng[31084]: I/O error occurred while writing; fd='7', error='Broken pipe (32)' Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection broken; fd='7', server='AF_INET(192.168.13.39:1999)', time_reopen='60' }
To make sure my certificates are valid I run two commands: On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem -cert Client/clientcert.pem -key Client/clientkeye em -accept 8080
On client: openssl s_client -connect 192.168.13.39:8080 The result on the client is the server certificate and the last line is: { Verify return code: 19 (self signed certificate in certificate chain) }
The client and server are both syslog-ng_3.0.2 (and 3.0.3) in ubuntu. These are the steps I configured the client and server: I used the script CA.sh to genereate X.509 certificates. I created a cacert using the command: CA.sh -newca created the ca files :cacert.pem, .. created a request: CA.sh -newreq rename the files created to syslog_cert.pem and syslog_ket.pem signed it with the ca: CA.sh -sign Then I copied the cacert.pem file to client and created it's hash as explained in syslog-ng documentation.
configuration files:
Client config: *destination d_tlsserver { tcp("192.168.13.39" port(1999) tls(ca_dir("/opt/syslog-ng/certs") peer_verify(required-trusted) )); };*
Server config: *source rezvani_tls { tcp(ip(0.0.0.0) port(1999) max-connections(300) tls(key_file("/opt/certs/newcerts/syslogs_key.pem") cert_file("/opt/certs/newcerts/syslogs_cert.pem") peer_verify(optional-untrusted) )); }; *
-- __ \ /_\\_-//_ Mohsen Alimomeni
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- __ \ /_\\_-//_ Mohsen Alimomeni