https://bugzilla.balabit.com/show_bug.cgi?id=239 Summary: syslog-ng refuses to allow 'Common Name' CN wildcards Product: syslog-ng Version: 3.3.x Platform: PC OS/Version: Windows Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: shawn.starr@statpro.com Type of the Report: bug Estimated Hours: 0.0 Distribution package version: 3.3.4.dfsg-2ubuntu1 (3.3.4) When attempting to use the following configuration: source system_stuff { system(); }; destination dest_kern { tcp("192.168.70.4" port(514) tls( #peer-verify(optional-untrusted) peer-verify(required-trusted) cipher_suite("AES256-SHA") trusted_dn("*, O=MyCompany Name, L=Toronto, ST=Ontario, C=CA") cert_file("/etc/syslog-ng/certs/genericServer.crt") ca_dir("/etc/syslog-ng/ca")) ); }; log { source(system_stuff); destination(dest_kern); }; Jul 9 12:20:01 testad syslog-ng[12607]: Certificate subject does not match configured hostname; hostname='192.168.70.4', certificate='*.dev.company.com' When trying to use trusted_tn("CN=*.dev.company.com, O=MyCompany Name, L=Toronto, ST=Ontario, C=CA) it then shows: Jul 9 11:21:20 testad syslog-ng[12473]: Certificate valid, but DN constraints were not met, rejecting; If I read this right, CN is provided (as per default CA policy) but we should be able to match hosts to the wildcard. Similar to what rsyslog has: http://www.rsyslog.com/doc/tls_cert_server.html I don't know if this also happens in 3.5.x but I can test this on my Fedora systems at home -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.