Syslog-ng mutual self cert authentication
Hi all, I'm truing to make mutual self cert authentication with Syslog-NG and using LogAnalyzer to see the logs. I have done the following: *Server configuration:* Creating a CA making directory and put the openssl.cnf file in the directory etc. do the following command: 1. openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf 2. openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf 3. openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem 4. openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem 5. In */etc/syslog-ng/* create directory *cert.d* and *ca.d* copy the *serverkey.pem* and *servercert.pem* to *cert.d* and copy *cacert.pem* to *ca.d*. Go to *ca.d* and issue the following command *"openssl x509 -noout -hash -in cacert.pem"* and do the link *"ln -s cacert.pem 6d2962a8.0" *6. On the syslog-ng.conf file i put the following changes: *************************************** source s_sys { system(); internal(); network( port(6514) file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); }; ******************************************** And restart the service ================== *Client Configuration* Creating CA making directory and put the openssl.cnf file in the directory etc. do the following command 1. openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf 2. openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf 3. openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem 4. openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem 5. In */etc/syslog-ng/* create directory *cert.d* and *ca.d* copy the *"clientkey.pem" *and *"clientcert.pem" *to *"cert.d" *and copy *"cacert.pem" *to *"ca.d" *and issue the following command in the *ca.d* directory. *openssl x509 -noout -hash -in cacert.pem *and *ln -s cacert.pem 6d2962a8.0 *6. add the following to the *syslog-ng.conf* file ****************************************************** destination d_tcp { tcp("192.168.111.176" port(6514) tls( ca_dir("/etc/syslog-ng/ca.d") key_file("/etc/syslog-ng/cert.d/clientkey.pem") cert_file("/etc/syslog-ng/cert.d/clientcert.pem") ) ); }; *************************************************************** And finally i have the following errors :) Jan 12 11:58:02 syslogserver syslog-ng[5507]: Syslog connection accepted; fd='16', client='AF_INET(192.168.111.104:45631)', local='AF_INET(0.0.0.0:6514)' Jan 12 11:58:02 syslogserver syslog-ng[5507]: SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca' Jan 12 11:58:02 syslogserver syslog-ng[5507]: I/O error occurred while reading; fd='16', error='Connection reset by peer (104)' Jan 12 11:58:02 syslogserver syslog-ng[5507]: Syslog connection closed; fd='16', client='AF_INET(192.168.111.104:45631)', local='AF_INET(0.0.0.0:6514)' Jan 12 11:58:12 syslogserver syslog-ng[5507]: Syslog connection accepted; fd='16', client='AF_INET(192.168.111.104:58937)', local='AF_INET(0.0.0.0:6514)' Jan 12 11:58:12 syslogserver syslog-ng[5507]: SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca' Jan 12 11:58:12 syslogserver syslog-ng[5507]: I/O error occurred while reading; fd='16', error='Connection reset by peer (104)' Jan 12 11:58:12 syslogserver syslog-ng[5507]: Syslog connection closed; fd='16', client='AF_INET(192.168.111.104:58937)', local='AF_INET(0.0.0.0:6514)' Can someone help me with this and tell me what im doing wrong ? Thanks in advanced !
Hi, "Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-12 12:08-kor:
Can someone help me with this and tell me what im doing wrong ?
At a first glance, it seems, that you put the server's own CA to the server's ca dir, and the client's ca into the client's ca dir. The CA what you have created to sign the server's cert, should be on the client's side, so the client should have the chance to validate the server's cert, that it is signed with that. And vica versa: the server should have that ca, which were used to sign the client's cert, to valideate that signature. Kind regards, Gyu
Hi, You mean the cacert.pem or the servercert.pem ? and vice versa ? Kind regards Ivan On 01/12/2016 12:31 PM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-12 12:08-kor:
Can someone help me with this and tell me what im doing wrong ? At a first glance, it seems, that you put the server's own CA to the server's ca dir, and the client's ca into the client's ca dir.
The CA what you have created to sign the server's cert, should be on the client's side, so the client should have the chance to validate the server's cert, that it is signed with that. And vica versa: the server should have that ca, which were used to sign the client's cert, to valideate that signature.
Kind regards, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 11:18-kor:
You mean the cacert.pem or the servercert.pem ? and vice versa ?
The servercert.pem is the cert pair for the key what the server has. The (server)cert is the "public" part of the key, and the key file is the private part. The servercert is signed with the cacert. As far as I saw your example, you defined different CA for signing the servercert, and do that separately to sign the client's cert. So the ca, what you have created to sign the server's csr (so, after the signing it become a cert), is the one which should be published to the client side ca dir. So when the tls handshake happens, the client sees that whups, here is a server cert. Cheks in the cert the issuer's fingerprint. Based on the fingerprint it will find the CA's cert in it's local ca dir. Check if that signature is valid, and client is happy. The same will happen on the server side simmetrically: The client will show up its own cert. The server sees, it is signed with the other ca. (The one, which you used to sign the client cert.) Based on the fingerprint, it start to check if it is available in its ca dir. If you install that there, and the appropriate symlink is also available, then it will also find that ca cert. It will check if the client certificate is valid. It will be. Both side will be happy, and communicate gladly inside an encrypted channel. Was this description clear? Kind regards, Gyu
Hi Gyu, So as i get this all right, i have to do the following on the server: generate the certificate for the CA: *openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf *Create the server certificate and sign a certificate for the server: *openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem * On the Client: Copy *cacert.pem* from the server to the client Create a client certificate: *openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem *And than just link the cacert.pem and in the ca.d put the servercert.pem file ? And on the Server site copy the clientcert.pem file to ca.d ? Kind regards Ivan On 01/15/2016 11:42 AM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 11:18-kor:
You mean the cacert.pem or the servercert.pem ? and vice versa ? The servercert.pem is the cert pair for the key what the server has. The (server)cert is the "public" part of the key, and the key file is the private part. The servercert is signed with the cacert. As far as I saw your example, you defined different CA for signing the servercert, and do that separately to sign the client's cert. So the ca, what you have created to sign the server's csr (so, after the signing it become a cert), is the one which should be published to the client side ca dir. So when the tls handshake happens, the client sees that whups, here is a server cert. Cheks in the cert the issuer's fingerprint. Based on the fingerprint it will find the CA's cert in it's local ca dir. Check if that signature is valid, and client is happy. The same will happen on the server side simmetrically: The client will show up its own cert. The server sees, it is signed with the other ca. (The one, which you used to sign the client cert.) Based on the fingerprint, it start to check if it is available in its ca dir. If you install that there, and the appropriate symlink is also available, then it will also find that ca cert. It will check if the client certificate is valid. It will be. Both side will be happy, and communicate gladly inside an encrypted channel.
Was this description clear?
Kind regards, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Can someone give me the right way to do this as i following this tuttorial and still have errors: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... Kind regards Ivan On 01/15/2016 11:42 AM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 11:18-kor:
You mean the cacert.pem or the servercert.pem ? and vice versa ? The servercert.pem is the cert pair for the key what the server has. The (server)cert is the "public" part of the key, and the key file is the private part. The servercert is signed with the cacert. As far as I saw your example, you defined different CA for signing the servercert, and do that separately to sign the client's cert. So the ca, what you have created to sign the server's csr (so, after the signing it become a cert), is the one which should be published to the client side ca dir. So when the tls handshake happens, the client sees that whups, here is a server cert. Cheks in the cert the issuer's fingerprint. Based on the fingerprint it will find the CA's cert in it's local ca dir. Check if that signature is valid, and client is happy. The same will happen on the server side simmetrically: The client will show up its own cert. The server sees, it is signed with the other ca. (The one, which you used to sign the client cert.) Based on the fingerprint, it start to check if it is available in its ca dir. If you install that there, and the appropriate symlink is also available, then it will also find that ca cert. It will check if the client certificate is valid. It will be. Both side will be happy, and communicate gladly inside an encrypted channel.
Was this description clear?
Kind regards, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 15:06-kor:
Can someone give me the right way to do this as i following this tuttorial and still have errors: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
This guide seems pretty good. What errors do you have? This guide assumes, you have a "pki" machine. One machine, where you generates all the certificates, keys, and do any pki-related thing. As it is usual. Then it is consequent with the filenames, so when it shows the server side's config, and you see a "cacert.pem", it comes from this pki environment. The same cacert.pem should be applied to the client side. Step #1: Does your server start? Step #2: Does your client starts? If it is only a test system, and the keys are not "real secret" yet, and still have problems, I suggest to use the contrib/syslog-debun to collect the config and other environment related things from your client and server side, and send those to me. I do not know, if .tar.gz attachments are allowed on the mailing list. But I would gladly check them. If the server is able to start, then please run the debug bundle collector with these parameters: contrib/syslog-debun -d It will stop the syslog-ng as a system service, and start in foregrund debug mode, until you press enter. Then it will stop the debug mode service, and start again the "system service". Until the server runs in debug mode, please try the same on the client side. The most important part of the whole debugging, that I would like to see the syslog-ng's debug messages and see what happens from the syslog-ng's point of view. Cheers, Gyu
Hi Pasztor, The problem here is that i don't get the right procedure with the cert. I get the privet and public key and all other stuff, but i can't get the point in this scenario what is the certificate what is the private and public. So i have***"cakey.pem"* which is private and *"cacert.pem******"* then i have *"serverkey.pem**"* and *"**serverrreq.pem**"* which is also private and than *"**servercert.pem**"*. So to be honest i realy don't get the right point here which is CA which is public cert and what need to be signed from where ? And all this files im not sure which to use where as all this to me get confused as i read the commands and see that nothing is connected form the tutorial. Kind regards Ivan On 01/15/2016 05:15 PM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 15:06-kor:
Can someone give me the right way to do this as i following this tuttorial and still have errors: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... This guide seems pretty good. What errors do you have? This guide assumes, you have a "pki" machine. One machine, where you generates all the certificates, keys, and do any pki-related thing. As it is usual. Then it is consequent with the filenames, so when it shows the server side's config, and you see a "cacert.pem", it comes from this pki environment. The same cacert.pem should be applied to the client side.
Step #1: Does your server start? Step #2: Does your client starts?
If it is only a test system, and the keys are not "real secret" yet, and still have problems, I suggest to use the contrib/syslog-debun to collect the config and other environment related things from your client and server side, and send those to me. I do not know, if .tar.gz attachments are allowed on the mailing list. But I would gladly check them.
If the server is able to start, then please run the debug bundle collector with these parameters: contrib/syslog-debun -d It will stop the syslog-ng as a system service, and start in foregrund debug mode, until you press enter. Then it will stop the debug mode service, and start again the "system service".
Until the server runs in debug mode, please try the same on the client side. The most important part of the whole debugging, that I would like to see the syslog-ng's debug messages and see what happens from the syslog-ng's point of view.
Cheers, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, I do the following: Following the link from Balabit i have done the server site without errors. Then i do this on the client site 1. *mkdir certs crl newcerts private* *echo "01" > serial* *cp /dev/null index.txt* Than i copy the*"cacert.pem" *to the client machine and try the next step *"*Creating a client certificate" using the following command openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem ** And on the last line i have the errors openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Error opening CA certificate ./cacert.pem 140030533961632:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./cacert.pem','r') 140030533961632:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate So i try copy the serverkey.pem and servercert.pem but similar errors Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Error opening CA certificate ./cacert.pem 140578607339424:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./cacert.pem','r') 140578607339424:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: unable to load CA private key 140231163467680:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604: 140231163467680:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104: 140231163467680:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: 140231163467680:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132: So i'm not sure what im missing Thanks ! On 01/15/2016 05:15 PM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 15:06-kor:
Can someone give me the right way to do this as i following this tuttorial and still have errors: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... This guide seems pretty good. What errors do you have? This guide assumes, you have a "pki" machine. One machine, where you generates all the certificates, keys, and do any pki-related thing. As it is usual. Then it is consequent with the filenames, so when it shows the server side's config, and you see a "cacert.pem", it comes from this pki environment. The same cacert.pem should be applied to the client side.
Step #1: Does your server start? Step #2: Does your client starts?
If it is only a test system, and the keys are not "real secret" yet, and still have problems, I suggest to use the contrib/syslog-debun to collect the config and other environment related things from your client and server side, and send those to me. I do not know, if .tar.gz attachments are allowed on the mailing list. But I would gladly check them.
If the server is able to start, then please run the debug bundle collector with these parameters: contrib/syslog-debun -d It will stop the syslog-ng as a system service, and start in foregrund debug mode, until you press enter. Then it will stop the debug mode service, and start again the "system service".
Until the server runs in debug mode, please try the same on the client side. The most important part of the whole debugging, that I would like to see the syslog-ng's debug messages and see what happens from the syslog-ng's point of view.
Cheers, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Ivan Adji - Krstev
-
PÁSZTOR György