Re: [syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

25 Jun 2015

      The client is an embedded device – rsyslog is running on it.

With a certificate created from here: http://www.selfsignedcertificate.com/ the TLS connection from device to syslog-ng works fine.

With a certificate created with INSTA-Server (not self signed) I see the mentioned problem.

Best regards
  Klaus

____________________________________________
find my openPGP key here: https://keyserver.pgp.com/‎

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of ext Scheidler, Balázs
Sent: Thursday, June 25, 2015 7:46
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

The SSL alert is sent by the client, thus the client didn't accept the certificate of the server. Can you paste that config as well?
On Jun 24, 2015 11:44 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <klaus.schulte@nokia.com<mailto:klaus.schulte@nokia.com>> wrote:
Dear all,

I've this source settings for TLS:

source s_tcp_tls {
   network(  transport("tls")
             ip(10.46.130.65) port(6514)
             tls(
                   peer-verify("optional-untrusted")
                   key-file("/etc/syslog-ng/key.d/syslog-ng.key")
                   cert-file("/etc/syslog-ng/cert.d/syslog-ng.cert")
             )
   );
};

But when a client connects via TCP/TLS to the syslog-ng service..

In syslog-ng these messages are showing up:

syslog-ng starting up; version='3.5.6'
Syslog connection accepted; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(10.46.130.65:6514<http://10.46.130.65:6514>)'
SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
I/O error occurred while reading; fd='12', error='Connection reset by peer (104)'
Syslog connection closed; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(10.46.130.65:6514<http://10.46.130.65:6514>)'
Closing log transport fd; fd='12'

I don't know why syslog-ng is proving the CA?
As far as I know the configuration is a non-mutual authentication - so the CA shouldn't play a role in this - is this correct?

The client sends messages in RFC5424 format.

Any help is appriciated - I've no clue what's going wrong.

Best regards
  Klaus
____________________________________________

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq