Hi all, I am trying to set up a centralized syslog server, with encryption and authentication over TCP. Communication is ok, encryption too, but I can't get the authentication to work. Here is my actual configuration, reduced to what is needed : _Client :_ source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); }; ... destination d_net { tcp("192.168.0.42" port(4242) tls( ca_dir("/etc/rsyslog.d/certs/CA/") cert_file("/etc/rsyslog.d/certs/client.crt") key_file("/etc/rsyslog.d/certs/client.key") peer_verify(optional-untrusted) ) log_fifo_size(1000) ); }; ... log { source(s_src); destination(d_net); }; _Server :_ source s_src { # Local logging unix-dgram("/dev/log"); file("/proc/kmsg" program_override("kernel")); # Remote logging tcp( port(4242) tls( ca_dir("/etc/syslog-ng/certs/CA/") cert_file("/etc/syslog-ng/certs/server.crt") key_file("/etc/syslog-ng/certs/server.key") peer_verify(optional-untrusted) ) ); }; The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/ This setup works : server is getting client's logs, and cypherred on the wire. When I replace /peer_verify(optional-untrusted)/ by /peer_verify(required-trusted)/, in order to get mutual authentication, I get this error : ==> /var/log/error <== Jan 6 14:42:09 client syslog-ng[11086]: Certificate validation failed; subject='emailAddress=email@address.com, CN=server.fqdn, OU=Org Unit, O=Company, L=City, ST=Crountry, C=ID', issuer='emailAddress=email@address.com, CN=Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='unable to get local issuer certificate', depth='0' Jan 6 14:42:09 client syslog-ng[11086]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jan 6 14:42:09 client syslog-ng[11086]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' ==> /var/log/messages <== Jan 6 14:42:09 client syslog-ng[11086]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60' But my certificates are good : openssl verify -CAfile /etc/syslog-ng/certs/CA/ca.crt -purpose any /etc/syslog-ng/certs/client.crt /etc/syslog-ng/certs/client.crt: OK openssl verify -CAfile /etc/syslog-ng/certs/CA/ca.crt -purpose any /etc/syslog-ng/certs/server.crt /etc/syslog-ng/certs/server.crt: OK More informations : root@[client|server]:~ # syslog-ng -V syslog-ng 3.1.3 Installer-Version: 3.1.3 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3 Compile-Date: Nov 28 2010 12:29:35 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on Does someone has any clue on what's going wrong ? -- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40 -------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com -------------------------------------------------------------------------------- This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.