Mutual Authentication and Encryption With Rsyslog
I am trying to get mutual authentication working between a syslog-ng server and an Rsyslog client, using startssl.com issued certificates. The client does properly authenticate the server, but syslog-ng does not recognize the client as trusted. Server info: ------------ # cat /etc/redhat-release CentOS release 6.6 (Final) # /usr/local/syslog-ng/sbin/syslog-ng --version syslog-ng 3.2.4 Installer-Version: 3.2.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6 Compile-Date: Aug 18 2013 22:16:35 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: on Enable-Pacct: off source s_network_secure { tcp(flags(no-multi-line) ip(0.0.0.0) port(6514) tls( key-file("/usr/local/syslog-ng/etc/cert.d/cert.key") cert-file("/usr/local/syslog-ng/etc/cert.d/cert.pem") ca_dir("/usr/local/syslog-ng/etc/cert.d") peer_verify(required-untrusted)) ); }; And of course this is defined in a log statement. Here is the directory. Note that the symbolic link of the hash has been created. # ll /usr/local/syslog-ng/etc/cert.d/ total 204 lrwxrwxrwx. 1 root root 13 Mar 3 13:51 876f1e28.0 -> ca-bundle.pem -rw-r--r--. 1 root root 195587 Mar 3 13:08 ca-bundle.pem -r--------. 1 root root 1679 Feb 28 11:21 cert.key -r--------. 1 root root 2260 Feb 28 11:50 cert.pem -rw-r--r--. 1 root root 2281 Mar 3 13:58 client.key required-untrusted works, but required-trusted doesn't. So I figured maybe it was an SSL issue with the authority, but it seems to validate OK. # openssl verify -CAfile 876f1e28.0 -verbose client.key client.key: OK Client info: ------------ # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS" # rsyslogd -v rsyslogd 7.4.4, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes See http://www.rsyslog.com for more information. I suppose there's no additional client info needed since I know it is presenting the certificate--the issue seems to be that the syslog-ng server simply doesn't trust it. All suggestions appreciated.
Hello, Have you tried syslog-ng start in forward-mode and verbose (-Fdve)? In that case after the first message you can check the SSL error message during the authentication. It could show you the problem with the certificates. Br, Laci On 6 March 2015 at 01:27, Michael Starks <syslog-ng-list@michaelstarks.com> wrote:
I am trying to get mutual authentication working between a syslog-ng server and an Rsyslog client, using startssl.com issued certificates. The client does properly authenticate the server, but syslog-ng does not recognize the client as trusted.
Server info: ------------
# cat /etc/redhat-release CentOS release 6.6 (Final)
# /usr/local/syslog-ng/sbin/syslog-ng --version syslog-ng 3.2.4 Installer-Version: 3.2.4 Revision: ssh+git://bazsi@git.balabit //var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6 Compile-Date: Aug 18 2013 22:16:35 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: on Enable-Pacct: off
source s_network_secure { tcp(flags(no-multi-line) ip(0.0.0.0) port(6514) tls( key-file("/usr/local/syslog-ng/etc/cert.d/cert.key") cert-file("/usr/local/syslog-ng/etc/cert.d/cert.pem") ca_dir("/usr/local/syslog-ng/etc/cert.d") peer_verify(required-untrusted)) ); };
And of course this is defined in a log statement.
Here is the directory. Note that the symbolic link of the hash has been created.
# ll /usr/local/syslog-ng/etc/cert.d/ total 204 lrwxrwxrwx. 1 root root 13 Mar 3 13:51 876f1e28.0 -> ca-bundle.pem -rw-r--r--. 1 root root 195587 Mar 3 13:08 ca-bundle.pem -r--------. 1 root root 1679 Feb 28 11:21 cert.key -r--------. 1 root root 2260 Feb 28 11:50 cert.pem -rw-r--r--. 1 root root 2281 Mar 3 13:58 client.key
required-untrusted works, but required-trusted doesn't. So I figured maybe it was an SSL issue with the authority, but it seems to validate OK.
# openssl verify -CAfile 876f1e28.0 -verbose client.key client.key: OK
Client info: ------------
# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
# rsyslogd -v rsyslogd 7.4.4, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes
See http://www.rsyslog.com for more information.
I suppose there's no additional client info needed since I know it is presenting the certificate--the issue seems to be that the syslog-ng server simply doesn't trust it.
All suggestions appreciated.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 03/05/2015 11:50 PM, Laci Mészáros wrote:
Hello,
Have you tried syslog-ng start in forward-mode and verbose (-Fdve)? In that case after the first message you can check the SSL error message during the authentication. It could show you the problem with the certificates.
Br, Laci
Thanks for the reply. I tried forward mode and I got these relevant messages: Syslog connection accepted; fd='10', client='AF_INET(1.2.3.4:37464)', local='AF_INET(0.0.0.0:6514)' Certificate validation failed; subject='emailAddress=address@example.com, CN=sub.example.com, C=US', issuer='CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL', error='unable to get local issuer certificate', depth='0' SSL error while reading stream; tls_error='SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned' I/O error occurred while reading; fd='10', error='Connection reset by peer (104)' Syslog connection closed; fd='10', client='AF_INET(52.10.218.147:37464)', local='AF_INET(0.0.0.0:6514)' I am using ca-bundle.pem from startssl.com and the signed certificate validates on both the client and server using openssl verify.
Hy Michae, Sorry for the late answer. I try to reproduce the case and inform you about the result Br, Laci 2015.03.08. 2:53 ezt írta ("Michael Starks" < syslog-ng-list@michaelstarks.com>):
On 03/05/2015 11:50 PM, Laci Mészáros wrote:
Hello,
Have you tried syslog-ng start in forward-mode and verbose (-Fdve)? In that case after the first message you can check the SSL error message during the authentication. It could show you the problem with the certificates.
Br, Laci
Thanks for the reply. I tried forward mode and I got these relevant messages:
Syslog connection accepted; fd='10', client='AF_INET(1.2.3.4:37464)', local='AF_INET(0.0.0.0:6514)' Certificate validation failed; subject='emailAddress=address@example.com, CN=sub.example.com, C=US', issuer='CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL', error='unable to get local issuer certificate', depth='0' SSL error while reading stream; tls_error='SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned' I/O error occurred while reading; fd='10', error='Connection reset by peer (104)' Syslog connection closed; fd='10', client='AF_INET(52.10.218.147:37464)', local='AF_INET(0.0.0.0:6514)'
I am using ca-bundle.pem from startssl.com and the signed certificate validates on both the client and server using openssl verify.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 2015-03-05 18:27, Michael Starks wrote:
I am trying to get mutual authentication working between a syslog-ng server and an Rsyslog client, using startssl.com issued certificates. The client does properly authenticate the server, but syslog-ng does not recognize the client as trusted.
Well, after messing with the CA certificates and finally getting the right combo, I got a message that the cert wasn't valid for that particular purpose (client authentication). Further digging led me to the discovery that startssl.com does not offer client auth certs for their free class 1 certificates--a paid upgrade would be required. This project is not worth spending any money on so I'll just create my own CA and do it the old-fashioned way. Thanks for the help.
Hello, unable to get local issuer certificate -> syslog-ng does not find a matching CA to check the cert. "openssl verify -CAfile 876f1e28.0 -verbose client.key" Instead execute: openssl verify -CApath foocadir -verbose client.pem //use CApath to see if openssl really finds the ca using the hash, and verify the certificate not the key. On Mon, Mar 9, 2015 at 2:36 PM, Michael Starks < syslog-ng-list@michaelstarks.com> wrote:
On 2015-03-05 18:27, Michael Starks wrote:
I am trying to get mutual authentication working between a syslog-ng server and an Rsyslog client, using startssl.com issued certificates. The client does properly authenticate the server, but syslog-ng does not recognize the client as trusted.
Well, after messing with the CA certificates and finally getting the right combo, I got a message that the cert wasn't valid for that particular purpose (client authentication). Further digging led me to the discovery that startssl.com does not offer client auth certs for their free class 1 certificates--a paid upgrade would be required. This project is not worth spending any money on so I'll just create my own CA and do it the old-fashioned way. Thanks for the help.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Laci Mészáros
-
Michael Starks
-
Pallagi, Zoltán