Hi everyone, I am currently implementing central syslog server using syslog-ng and I have encontered some problems when configuring mutual TLS authentication. On client machine I keep getting the following errors: Mar 18 12:54:22 machine syslog-ng[5432]: Syslog connection established; fd='9', server='AF_INET(xxx.113.161.23:514)', local='AF_INET(0.0.0.0:0)' Mar 18 12:54:22 machine syslog-ng[5432]: Certificate validation failed; subject='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', issuer='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', error='self signed certificate in certificate chain', depth='3' Mar 18 12:54:22 machine syslog-ng[5432]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Mar 18 12:54:22 machine syslog-ng[5432]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' Mar 18 12:54:22 machine syslog-ng[5432]: Syslog connection broken; fd='9', server='AF_INET(xxx.113.161.23:514)', time_reopen='60' This is the exact same problem as in the following thread: https://lists.balabit.hu/pipermail/syslog-ng/2011-January/015613.html I have verified the functionality without TLS settings and everything works perfectly, so there is no problem on the way (firewall, etc.). I studied carefully the manual and everything is as it is supposed to be: CLIENT MACHINE -------------- OS - Debian 6.0 Squeeze SYSLOG-NG VERSION: client:# syslog-ng --version syslog-ng 3.1.3 Installer-Version: 3.1.3 Revision: ssh +git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3 Compile-Date: Feb 1 2011 19:36:27 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on DESTINATION CONFIGURATION FROM SYSLOG-NG.CONF: destination d_net { tcp("xxx.113.161.23" port(514) tls( key_file("/etc/ssl/private/client.company.cz-nopass.key") cert_file("/etc/ssl/certs/client.company.cz.pem") ca_dir("/etc/ssl/trusted_ca")) ); }; CA HASH: client:# openssl x509 -in /etc/ssl/trusted_ca/tcs.pem -noout -hash 9df51c42 CA CERTIFICATE DIRECTORY: client:# ll /etc/ssl/trusted_ca total 12 lrwxrwxrwx 1 root root 27 Mar 18 12:30 9df51c42.0 -> /etc/ssl/trusted_ca/tcs.pem -rw-r--r-- 1 root root 1655 Mar 18 12:29 tcs.pem VALIDATE CERTIFICATE AGAINST CA: client:# openssl verify -CAfile /etc/ssl/trusted_ca/9df51c42.0 -verbose /etc/ssl/certs/client.company.cz.pem /etc/ssl/certs/client.company.cz.pem: OK SERVER MACHINE -------------- OS - Debian 6.0 Squeeze SYSLOG-NG VERSION: server:# syslog-ng --version syslog-ng 3.1.3 Installer-Version: 3.1.3 Revision: ssh +git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3 Compile-Date: Feb 1 2011 19:36:27 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on SOURCE CONFIGURATION FROM SYSLOG-NG.CONF: source s_net { tcp( ip(0.0.0.0) port(514) tls( key_file("/etc/ssl/private/server.company.cz-nopass.key") cert_file("/etc/ssl/certs/server.company.cz.pem") ca_dir("/etc/ssl/trusted_ca")) ); }; CA HASH: server:# openssl x509 -in /etc/ssl/trusted_ca/tcs.pem -noout -hash 9df51c42 CA CERTIFICATE DIRECTORY: server:# ll /etc/ssl/trusted_ca total 12 lrwxrwxrwx 1 root root 27 Mar 18 12:30 9df51c42.0 -> /etc/ssl/trusted_ca/tcs.pem -rw-r--r-- 1 root root 1655 Mar 18 12:29 tcs.pem VALIDATE CERTIFICATE AGAINST CA: server:# openssl verify -CAfile /etc/ssl/trusted_ca/9df51c42.0 -verbose /etc/ssl/certs/server.company.cz.pem /etc/ssl/certs/server.company.cz.pem: OK Certificates for the CA are the same on both machines. I tried to put either the whole chain up to the root certificate, or the last certificate, but the error keeps to appear. It the thread mentioned above the community member Baszi suggested following: ------ It's the whole point in certificate validation to use self-signed CA certificates. (after all, a centrally trusted CA is self-signed too). Try validating that your directory is correct usign "openssl verify", once that validates the cert, syslog-ng should too. -- Bazsi ------- What is meant by validate the directory, I do not understand that. As I said, I succefully validated both client and server certificate against the CA certificate using openssl command, but syslog-ng is still complaining. Am I missing something? I will gladly provide more information, if needed. Thank you for your time Regards Honza Mach