Thank a lot  Robert. Document is very good.

I all followed all the steps except certificate creating steps since it was giving some error. Finally I was able to establish TLS communication with “required trusted”

 

I am sharing the steps used for creating certificates

 

mkdir CERT

cd CERT

 

  mkdir CA  client  server

 

  cd CA 

  openssl genrsa -out caPrivate.key 4096

  openssl req -new -x509 -days 1826 -key caPrivate.key -out caCert.pem

   

  cd server

  openssl genrsa -out mySerPrivate.key 2048

  openssl req -new -key mySerPrivate.key -out mySerReq.csr

  openssl x509 -req -days 365 -in mySerReq.csr -CA ../CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 10 -out mySerCert.pem

  

  cd client 

  openssl genrsa -out myCliPrivate.key 2048

  openssl req -new -key myCliPrivate.key -out myCliReq.csr 

  openssl x509 -req -days 365 -in myCliReq.csr -CA .          ./CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 20 -out myCliCert.pem

 

 

Regards,

Girish

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fekete, Róbert
Sent: Wednesday, March 16, 2016 2:00 PM

To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] error='self signed certificate in certificate chain'

 

Hi, 

 

Try this tutorial, IIRC it uses self-signed CA cert: https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tutorial-mutual-auth-tls/html/index.html

 

Regards, 

Robert

 

On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar <girish.kumar@al-enterprise.com> wrote:

Thanks  Robert.

With required-untrusted,  I am able to communicate with syslog-ng server with TLS encryption.

 

I want to establish mutual authentication and need required-trusted option

 

Could you please let me know how to solve the following certificate issue with required-trusted option

Regards,

Girish

 

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fekete, Róbert
Sent: Friday, March 11, 2016 7:05 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] error='self signed certificate in certificate chain'

 

Hi, 

 

try setting the peer-verify option to required-untrusted (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/tlsoptions.html#tls-options-peer-verify)

 

HTH, 

Robert

 

On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <girish.kumar@al-enterprise.com> wrote:

Hi All,

I am getting following error while starting syslog-ng with tls option. Could you please help me  on this

 

Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0)'

Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1'

Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'

Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)'

Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60'

 

 

//server conf

source d_source {

          #syslog(ip("mysyslog.server.com") port(6514)

          syslog(ip("10.135.83.103") port(6514)

                    transport("tls")

             tls( key_file("/etc/cert.d/mySerPrivate.key")

             cert_file("/etc/cert.d/mySerCert.pem")

             ca_dir("/etc/ca.d")

             ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)

        )

    );

};

 

//Client conf

destination d_destination {                                                 

    #syslog("mysyslog.server.com" port(6514)                     

    syslog("10.135.83.103" port(6514)    

                        transport("tls")   

        tls( ca_dir("/etc/ca.d")           

         key_file("/etc/cert.d/myCliPrivate.key")

         cert_file("/etc/cert.d/myCliCert.pem") 

         ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)

         )                                                  

    );                                                       

};        

 

Regard,

Girish

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq