Authentication problem
Hi all, I am trying to set up a centralized syslog server, with encryption and authentication over TCP. Communication is ok, encryption too, but I can't get the authentication to work. Here is my actual configuration, reduced to what is needed : _Client :_ source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); }; ... destination d_net { tcp("192.168.0.42" port(4242) tls( ca_dir("/etc/rsyslog.d/certs/CA/") cert_file("/etc/rsyslog.d/certs/client.crt") key_file("/etc/rsyslog.d/certs/client.key") peer_verify(optional-untrusted) ) log_fifo_size(1000) ); }; ... log { source(s_src); destination(d_net); }; _Server :_ source s_src { # Local logging unix-dgram("/dev/log"); file("/proc/kmsg" program_override("kernel")); # Remote logging tcp( port(4242) tls( ca_dir("/etc/syslog-ng/certs/CA/") cert_file("/etc/syslog-ng/certs/server.crt") key_file("/etc/syslog-ng/certs/server.key") peer_verify(optional-untrusted) ) ); }; The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/ This setup works : server is getting client's logs, and cypherred on the wire. When I replace /peer_verify(optional-untrusted)/ by /peer_verify(required-trusted)/, in order to get mutual authentication, I get this error : ==> /var/log/error <== Jan 6 14:42:09 client syslog-ng[11086]: Certificate validation failed; subject='emailAddress=email@address.com, CN=server.fqdn, OU=Org Unit, O=Company, L=City, ST=Crountry, C=ID', issuer='emailAddress=email@address.com, CN=Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='unable to get local issuer certificate', depth='0' Jan 6 14:42:09 client syslog-ng[11086]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jan 6 14:42:09 client syslog-ng[11086]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' ==> /var/log/messages <== Jan 6 14:42:09 client syslog-ng[11086]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60' But my certificates are good : openssl verify -CAfile /etc/syslog-ng/certs/CA/ca.crt -purpose any /etc/syslog-ng/certs/client.crt /etc/syslog-ng/certs/client.crt: OK openssl verify -CAfile /etc/syslog-ng/certs/CA/ca.crt -purpose any /etc/syslog-ng/certs/server.crt /etc/syslog-ng/certs/server.crt: OK More informations : root@[client|server]:~ # syslog-ng -V syslog-ng 3.1.3 Installer-Version: 3.1.3 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3 Compile-Date: Nov 28 2010 12:29:35 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on Does someone has any clue on what's going wrong ? -- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40 -------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com -------------------------------------------------------------------------------- This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.
Hi! On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/
This setup works : server is getting client's logs, and cypherred on the wire.
When I replace peer_verify(optional-untrusted) by peer_verify(required-trusted), in order to get mutual authentication, I get this error :
The syslog-ng do not read all files from the CA dir. It search for CA certificates with the hash value of the subject. So you should rename the CA files (or create a symlink to it) to the mentioned hash value. (And the extension should be .0) The hash value can be calculated with openssl x509 -in <filename> -noout -hash command. Or you can create the symbolic link(s) with the c_rehash command if it available (this command is part of the openssl) -- SZALAY Attila Support (L3) Team Leader e-mail: attila.szalay@balabit.com BalaBit IT Security www.balabit.com H-1115 Bártfai str. 54. Budapest This Communication is Confidential. We only send and receive email on the basis of the terms set out at http://www.balabit.com/disclaimer/.
On 01/06/2011 03:05 PM, SZALAY Attila wrote:
Hi!
On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/
This setup works : server is getting client's logs, and cypherred on the wire.
When I replace peer_verify(optional-untrusted) by peer_verify(required-trusted), in order to get mutual authentication, I get this error :
The syslog-ng do not read all files from the CA dir. It search for CA certificates with the hash value of the subject. So you should rename the CA files (or create a symlink to it) to the mentioned hash value. (And the extension should be .0)
The hash value can be calculated with openssl x509 -in<filename> -noout -hash command.
Or you can create the symbolic link(s) with the c_rehash command if it available (this command is part of the openssl)
Thanks for your quick reply, I tried this already, and just tried again. To be sure I linked in /etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ : openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash 8fa7a206 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0 /etc/init.d/syslog-ng restart Stopping system logging: syslog-ng. Starting system logging: syslog-ng. On both client and server. Now I get : Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection established; fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)' Jan 6 15:11:51 client syslog-ng[11528]: Certificate validation failed; subject='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', issuer='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='self signed certificate in certificate chain', depth='1' Jan 6 15:11:51 client syslog-ng[11528]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jan 6 15:11:51 client syslog-ng[11528]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60' My question : How can I use a self-signed CA ? -- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40 -------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com -------------------------------------------------------------------------------- This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.
On 01/06/2011 03:05 PM, SZALAY Attila wrote:
Hi!
On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/
This setup works : server is getting client's logs, and cypherred on the wire.
When I replace peer_verify(optional-untrusted) by peer_verify(required-trusted), in order to get mutual authentication, I get this error :
The syslog-ng do not read all files from the CA dir. It search for CA certificates with the hash value of the subject. So you should rename the CA files (or create a symlink to it) to the mentioned hash value. (And the extension should be .0)
The hash value can be calculated with openssl x509 -in<filename> -noout -hash command.
Or you can create the symbolic link(s) with the c_rehash command if it available (this command is part of the openssl)
Thanks for your quick reply, I tried this already, and just tried again. To be sure I linked in /etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ : openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash 8fa7a206 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0 /etc/init.d/syslog-ng restart Stopping system logging: syslog-ng. Starting system logging: syslog-ng. On both client and server. Now I get : Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection established; fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)' Jan 6 15:11:51 client syslog-ng[11528]: Certificate validation failed; subject='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', issuer='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='self signed certificate in certificate chain', depth='1' Jan 6 15:11:51 client syslog-ng[11528]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Jan 6 15:11:51 client syslog-ng[11528]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60' My question : How can I use a self-signed CA ? -- Fabien Bagard IT Department tel + 33 (0)1 48 03 60 40 -------------------------------------------------------------------------------- Parrot SA 174, Quai de Jemmapes | 75010 Paris - France tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08 http://www.parrot.com -------------------------------------------------------------------------------- This e-mail message and any attached document(s) are for the sole use of the intended recipient(s)and may contain confidential and legally privileged information. Any unauthorized review, copy, use and/or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original.
On Thu, 2011-01-06 at 16:03 +0100, Fabien Bagard wrote:
On 01/06/2011 03:05 PM, SZALAY Attila wrote:
Hi!
On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
The CA which was used to sign these certificates is world readable and located in /etc/syslog-ng/certs/CA/
This setup works : server is getting client's logs, and cypherred on the wire.
When I replace peer_verify(optional-untrusted) by peer_verify(required-trusted), in order to get mutual authentication, I get this error :
The syslog-ng do not read all files from the CA dir. It search for CA certificates with the hash value of the subject. So you should rename the CA files (or create a symlink to it) to the mentioned hash value. (And the extension should be .0)
The hash value can be calculated with openssl x509 -in<filename> -noout -hash command.
Or you can create the symbolic link(s) with the c_rehash command if it available (this command is part of the openssl)
Thanks for your quick reply,
I tried this already, and just tried again. To be sure I linked in /etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ :
openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash 8fa7a206 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0 ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0 /etc/init.d/syslog-ng restart Stopping system logging: syslog-ng. Starting system logging: syslog-ng.
On both client and server. Now I get :
Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection established; fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)'
Jan 6 15:11:51 client syslog-ng[11528]: Certificate validation failed; subject='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', issuer='emailAddress=email@address.com, CN=Company Root CA, OU=Org Unit, O=Company Root CA, L=City, ST=Country, C=ID', error='self signed certificate in certificate chain', depth='1'
Jan 6 15:11:51 client syslog-ng[11528]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
Jan 6 15:11:51 client syslog-ng[11528]: I/O error occurred while writing; fd='9', error='Broken pipe (32)'
Jan 6 15:11:51 client syslog-ng[11528]: Syslog connection broken; fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60'
My question : How can I use a self-signed CA ?
It's the whole point in certificate validation to use self-signed CA certificates. (after all, a centrally trusted CA is self-signed too). Try validating that your directory is correct usign "openssl verify", once that validates the cert, syslog-ng should too. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Fabien Bagard
-
SZALAY Attila