Hi, I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates. I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server): TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0' In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed. Here's the syslog-ng.conf entry for these sources: source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com")) ); }; I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging. I figure I must be missing something obvious ;). Any ideas? Here's my syslog-ng version info: [logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off Thanks, -David
Hi David, The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a *subject* field that does not match with any of the patterns set in trusted-dn(). Unfortunately, I think that the first sentence in the documentation is a bit misleading: *Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.* If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt -> 7.4.4. Certificate Request: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list() <https://www.openssl.org/docs/man3.0/man3/SSL_get0_CA_list.html>:*SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.* Could you kindly confirm that this is what you are looking for? Cheers, Attila On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com> wrote:
Hi,
I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates.
I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0'
In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.
Here's the syslog-ng.conf entry for these sources:
source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com")) ); };
I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.
I figure I must be missing something obvious ;). Any ideas?
Here's my syslog-ng version info:
[logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off
Thanks, -David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Attila, The trusted-dn() option is used for an additional verification step to reject clients/servers Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx. Could you kindly confirm that this is what you are looking for? Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have many to choose from, each possibly signed by different CAs). Thanks, -David From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Attila Szakács Sent: Thursday, March 30, 2023 3:12 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] TLS "trusted-dn" Question Hi David, The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a subject field that does not match with any of the patterns set in trusted-dn(). Unfortunately, I think that the first sentence in the documentation is a bit misleading: Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state. If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wL9mYnHT0wDAWeUPj1DCRdF1DcwQUpguUech2vhKb7s%3D&reserved=0> -> 7.4.4. Certificate Request: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list()<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v1Hbhcgm4Bf2zw0AYF6%2F177xXLXxjkU5HhwLPCBfDS0%3D&reserved=0>: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. Could you kindly confirm that this is what you are looking for? Cheers, Attila On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com<mailto:davidh@netacquire.com>> wrote: Hi, I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates. I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server): TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0' In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed. Here's the syslog-ng.conf entry for these sources: source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=X5NIUWuYD5F4GQ6WbnW%2F5HMrjJFkeg%2Fh4ma9xUMdN8w%3D&reserved=0>")) ); }; I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging. I figure I must be missing something obvious ;). Any ideas? Here's my syslog-ng version info: [logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off Thanks, -David ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E48rxdUkpoLsBgppz2Sm1%2F%2BikzdO8Q%2BxCt0KaghFig4%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=l2AI1TflzfBzXX6Yym2FfkuK8BfCrj4PCTAXTcF0hYg%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ccq%2F%2BRAuUwczH5Z4v%2FA9whYHcuXu2A5Bz39D64%2Bc5Hw%3D&reserved=0> External Email Warning! Use caution before clicking links or opening attachments.
Thanks! I will try to implement it this week, or if I won't have the time for it, I will create a feature request for it. In the meantime, I would like to ask: will there be any way you can try out the new feature before a stable release? I can provide you deb or rpm packages or a container image manually, or when we merge it to master, it will be available in our nightly APT repo and nightly docker image. I can provide you a patch, if you are building locally, but I am afraid that the change won't trivially apply to 3.31, as there have been modifications around TLS since then. Does any of this work for you? Cheers, Attila On Thu, Mar 30, 2023 at 5:32 PM David Hauck <davidh@netacquire.com> wrote:
Hi Attila,
*The trusted-dn() option is used for an additional verification step to reject clients/servers*
Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx.
*Could you kindly confirm that this is what you are looking for?*
Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have many to choose from, each possibly signed by different CAs).
Thanks,
-David
*From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> *On Behalf Of *Attila Szakács *Sent:* Thursday, March 30, 2023 3:12 AM *To:* Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> *Subject:* Re: [syslog-ng] TLS "trusted-dn" Question
Hi David,
The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a *subject* field that does not match with any of the patterns set in trusted-dn().
Unfortunately, I think that the first sentence in the documentation is a bit misleading:
*Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.*
If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wL9mYnHT0wDAWeUPj1DCRdF1DcwQUpguUech2vhKb7s%3D&reserved=0> -> 7.4.4. Certificate Request:
certificate_authorities
A list of the distinguished names [X501] of acceptable
certificate_authorities, represented in DER-encoded format. These
distinguished names may specify a desired distinguished name for a
root CA or for a subordinate CA; thus, this message can be used to
describe known roots as well as a desired authorization space. If
the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriate ClientCertificateType,
unless there is some external arrangement to the contrary.
This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list() <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v1Hbhcgm4Bf2zw0AYF6%2F177xXLXxjkU5HhwLPCBfDS0%3D&reserved=0>:
*SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.*
Could you kindly confirm that this is what you are looking for?
Cheers,
Attila
On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com> wrote:
Hi,
I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates.
I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0'
In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.
Here's the syslog-ng.conf entry for these sources:
source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=X5NIUWuYD5F4GQ6WbnW%2F5HMrjJFkeg%2Fh4ma9xUMdN8w%3D&reserved=0>")) ); };
I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.
I figure I must be missing something obvious ;). Any ideas?
Here's my syslog-ng version info:
[logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off
Thanks, -David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E48rxdUkpoLsBgppz2Sm1%2F%2BikzdO8Q%2BxCt0KaghFig4%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=l2AI1TflzfBzXX6Yym2FfkuK8BfCrj4PCTAXTcF0hYg%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ccq%2F%2BRAuUwczH5Z4v%2FA9whYHcuXu2A5Bz39D64%2Bc5Hw%3D&reserved=0>
*External Email Warning!* Use caution before clicking links or opening attachments.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I have opened a PR: https://github.com/syslog-ng/syslog-ng/pull/4412 :) On Mon, Apr 3, 2023 at 2:36 PM Attila Szakács <attila.szakacs@axoflow.com> wrote:
Thanks! I will try to implement it this week, or if I won't have the time for it, I will create a feature request for it.
In the meantime, I would like to ask: will there be any way you can try out the new feature before a stable release? I can provide you deb or rpm packages or a container image manually, or when we merge it to master, it will be available in our nightly APT repo and nightly docker image. I can provide you a patch, if you are building locally, but I am afraid that the change won't trivially apply to 3.31, as there have been modifications around TLS since then. Does any of this work for you?
Cheers, Attila
On Thu, Mar 30, 2023 at 5:32 PM David Hauck <davidh@netacquire.com> wrote:
Hi Attila,
*The trusted-dn() option is used for an additional verification step to reject clients/servers*
Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx.
*Could you kindly confirm that this is what you are looking for?*
Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have many to choose from, each possibly signed by different CAs).
Thanks,
-David
*From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> *On Behalf Of *Attila Szakács *Sent:* Thursday, March 30, 2023 3:12 AM *To:* Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> *Subject:* Re: [syslog-ng] TLS "trusted-dn" Question
Hi David,
The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a *subject* field that does not match with any of the patterns set in trusted-dn().
Unfortunately, I think that the first sentence in the documentation is a bit misleading:
*Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.*
If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wL9mYnHT0wDAWeUPj1DCRdF1DcwQUpguUech2vhKb7s%3D&reserved=0> -> 7.4.4. Certificate Request:
certificate_authorities
A list of the distinguished names [X501] of acceptable
certificate_authorities, represented in DER-encoded format. These
distinguished names may specify a desired distinguished name for a
root CA or for a subordinate CA; thus, this message can be used to
describe known roots as well as a desired authorization space. If
the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriate ClientCertificateType,
unless there is some external arrangement to the contrary.
This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list() <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=v1Hbhcgm4Bf2zw0AYF6%2F177xXLXxjkU5HhwLPCBfDS0%3D&reserved=0>:
*SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.*
Could you kindly confirm that this is what you are looking for?
Cheers,
Attila
On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com> wrote:
Hi,
I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates.
I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0'
In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.
Here's the syslog-ng.conf entry for these sources:
source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=X5NIUWuYD5F4GQ6WbnW%2F5HMrjJFkeg%2Fh4ma9xUMdN8w%3D&reserved=0>")) ); };
I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.
I figure I must be missing something obvious ;). Any ideas?
Here's my syslog-ng version info:
[logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off
Thanks, -David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E48rxdUkpoLsBgppz2Sm1%2F%2BikzdO8Q%2BxCt0KaghFig4%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=l2AI1TflzfBzXX6Yym2FfkuK8BfCrj4PCTAXTcF0hYg%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C4d2481e9962047dc420d08db31073b8e%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638157679363439549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ccq%2F%2BRAuUwczH5Z4v%2FA9whYHcuXu2A5Bz39D64%2Bc5Hw%3D&reserved=0>
*External Email Warning!* Use caution before clicking links or opening attachments.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Attila, Great, thx for working on this! I think if would be best if we got back to this after the merge to main is complete and a new release is generated. I’m running this on a custom distro so I will need to work with the distro vendor to get this integrated before I can get a runtime image that will work on my test systems. It’s also feasible for me to run a common distro (Ubuntu or Fedora derivative) as a VM for testing, but this also will take some setting up. Let me know if you’re really stuck getting this tested and then I can try to rig something up here. Thanks again, -David PS: Ultimately moving to the current release (with this feature added) will involve more work for us to validate, given the existing v3.31.2 runtimes. This includes (potentially) work to upgrade the configuration. Can you say anything about what might be involved in upgrading a (fairly generic, but fairly intricate) v3.31.2 configuration to v4.x.x? From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Attila Szakács Sent: Monday, April 03, 2023 9:04 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] TLS "trusted-dn" Question I have opened a PR: https://github.com/syslog-ng/syslog-ng/pull/4412<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fpull%2F4412&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727644149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3tI6DxNYsGaIQ%2F8fnGzj%2FHbAGy3GUQRIAqNFmgdtS9Y%3D&reserved=0> :) On Mon, Apr 3, 2023 at 2:36 PM Attila Szakács <attila.szakacs@axoflow.com<mailto:attila.szakacs@axoflow.com>> wrote: Thanks! I will try to implement it this week, or if I won't have the time for it, I will create a feature request for it. In the meantime, I would like to ask: will there be any way you can try out the new feature before a stable release? I can provide you deb or rpm packages or a container image manually, or when we merge it to master, it will be available in our nightly APT repo and nightly docker image. I can provide you a patch, if you are building locally, but I am afraid that the change won't trivially apply to 3.31, as there have been modifications around TLS since then. Does any of this work for you? Cheers, Attila On Thu, Mar 30, 2023 at 5:32 PM David Hauck <davidh@netacquire.com<mailto:davidh@netacquire.com>> wrote: Hi Attila, The trusted-dn() option is used for an additional verification step to reject clients/servers Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx. Could you kindly confirm that this is what you are looking for? Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fhttpd.apache.org%2Fdocs%2F2.4%2Fmod%2Fmod_ssl.html&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727644149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y%2BGb1rgUzAQcoNoPTZYkrbGr%2BSqpfBD6ZE6XmETALNE%3D&reserved=0>). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have many to choose from, each possibly signed by different CAs). Thanks, -David From: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> On Behalf Of Attila Szakács Sent: Thursday, March 30, 2023 3:12 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] TLS "trusted-dn" Question Hi David, The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a subject field that does not match with any of the patterns set in trusted-dn(). Unfortunately, I think that the first sentence in the documentation is a bit misleading: Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state. If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y%2BrLItCfeBYP%2FOGdRzWHznnMi80f9hWMSQ8%2FJNY1vTE%3D&reserved=0> -> 7.4.4. Certificate Request: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list()<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Pk7pU%2Ft01LoCJbs8hS6Vt08tsCD5Ex%2Bgu5C2EceHrmc%3D&reserved=0>: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. Could you kindly confirm that this is what you are looking for? Cheers, Attila On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com<mailto:davidh@netacquire.com>> wrote: Hi, I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates. I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server): TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0' In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed. Here's the syslog-ng.conf entry for these sources: source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=w2ZnIVpwm0j%2FK6aUUMcwPL%2FIy%2FI5efo5wnhc0AfhvJw%3D&reserved=0>")) ); }; I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging. I figure I must be missing something obvious ;). Any ideas? Here's my syslog-ng version info: [logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off Thanks, -David ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BvNYFUW9IImZyq44CSQVIOs3f6Uy%2BL80tySBEwraWQ0%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EsYB36BkS3xryLcLbVSsj2HsoQruvi4zfTF%2Fh58aXdQ%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Iyw1mQXzwgQbk%2Fa%2BvyUEwd%2BOcWA53qkW%2FeM%2FKVAGgBQ%3D&reserved=0> External Email Warning! Use caution before clicking links or opening attachments. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BvNYFUW9IImZyq44CSQVIOs3f6Uy%2BL80tySBEwraWQ0%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EsYB36BkS3xryLcLbVSsj2HsoQruvi4zfTF%2Fh58aXdQ%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Iyw1mQXzwgQbk%2Fa%2BvyUEwd%2BOcWA53qkW%2FeM%2FKVAGgBQ%3D&reserved=0> External Email Warning! Use caution before clicking links or opening attachments.
Hi David, I see, thanks. We test it before merging, so there is no need to test it for us. I was just asking, because some folks want to try the feature out themselves before the stable release, to make sure it works. On another note, the good news is that the pkcs12-file() option already had this feature sincs 3.12.1. So if you can wrap it in a pfx file, and use the pkcs12-file() option, the certificate_authorities field will be filled, like you expect it to be. Screenshot from wireshark (note the pkcs hint): [image: image.png] Cheers, Attila On Mon, Apr 3, 2023 at 8:37 PM David Hauck <davidh@netacquire.com> wrote:
Hi Attila,
Great, thx for working on this!
I think if would be best if we got back to this after the merge to main is complete and a new release is generated. I’m running this on a custom distro so I will need to work with the distro vendor to get this integrated before I can get a runtime image that will work on my test systems. It’s also feasible for me to run a common distro (Ubuntu or Fedora derivative) as a VM for testing, but this also will take some setting up. Let me know if you’re really stuck getting this tested and then I can try to rig something up here.
Thanks again,
-David
PS: Ultimately moving to the current release (with this feature added) will involve more work for us to validate, given the existing v3.31.2 runtimes. This includes (potentially) work to upgrade the configuration. Can you say anything about what might be involved in upgrading a (fairly generic, but fairly intricate) v3.31.2 configuration to v4.x.x?
*From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> *On Behalf Of *Attila Szakács *Sent:* Monday, April 03, 2023 9:04 AM *To:* Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> *Subject:* Re: [syslog-ng] TLS "trusted-dn" Question
I have opened a PR: https://github.com/syslog-ng/syslog-ng/pull/4412 <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fpull%2F4412&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727644149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3tI6DxNYsGaIQ%2F8fnGzj%2FHbAGy3GUQRIAqNFmgdtS9Y%3D&reserved=0> :)
On Mon, Apr 3, 2023 at 2:36 PM Attila Szakács <attila.szakacs@axoflow.com> wrote:
Thanks! I will try to implement it this week, or if I won't have the time for it, I will create a feature request for it.
In the meantime, I would like to ask: will there be any way you can try out the new feature before a stable release? I can provide you deb or rpm packages or a container image manually, or when we merge it to master, it will be available in our nightly APT repo and nightly docker image. I can provide you a patch, if you are building locally, but I am afraid that the change won't trivially apply to 3.31, as there have been modifications around TLS since then. Does any of this work for you?
Cheers,
Attila
On Thu, Mar 30, 2023 at 5:32 PM David Hauck <davidh@netacquire.com> wrote:
Hi Attila,
*The trusted-dn() option is used for an additional verification step to reject clients/servers*
Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx.
*Could you kindly confirm that this is what you are looking for?*
Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fhttpd.apache.org%2Fdocs%2F2.4%2Fmod%2Fmod_ssl.html&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727644149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y%2BGb1rgUzAQcoNoPTZYkrbGr%2BSqpfBD6ZE6XmETALNE%3D&reserved=0>). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have many to choose from, each possibly signed by different CAs).
Thanks,
-David
*From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> *On Behalf Of *Attila Szakács *Sent:* Thursday, March 30, 2023 3:12 AM *To:* Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> *Subject:* Re: [syslog-ng] TLS "trusted-dn" Question
Hi David,
The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a *subject* field that does not match with any of the patterns set in trusted-dn().
Unfortunately, I think that the first sentence in the documentation is a bit misleading:
*Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.*
If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y%2BrLItCfeBYP%2FOGdRzWHznnMi80f9hWMSQ8%2FJNY1vTE%3D&reserved=0> -> 7.4.4. Certificate Request:
certificate_authorities
A list of the distinguished names [X501] of acceptable
certificate_authorities, represented in DER-encoded format. These
distinguished names may specify a desired distinguished name for a
root CA or for a subordinate CA; thus, this message can be used to
describe known roots as well as a desired authorization space. If
the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriate ClientCertificateType,
unless there is some external arrangement to the contrary.
This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list() <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Pk7pU%2Ft01LoCJbs8hS6Vt08tsCD5Ex%2Bgu5C2EceHrmc%3D&reserved=0>:
*SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.*
Could you kindly confirm that this is what you are looking for?
Cheers,
Attila
On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com> wrote:
Hi,
I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates.
I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0'
In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.
Here's the syslog-ng.conf entry for these sources:
source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=w2ZnIVpwm0j%2FK6aUUMcwPL%2FIy%2FI5efo5wnhc0AfhvJw%3D&reserved=0>")) ); };
I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.
I figure I must be missing something obvious ;). Any ideas?
Here's my syslog-ng version info:
[logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off
Thanks, -David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BvNYFUW9IImZyq44CSQVIOs3f6Uy%2BL80tySBEwraWQ0%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EsYB36BkS3xryLcLbVSsj2HsoQruvi4zfTF%2Fh58aXdQ%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Iyw1mQXzwgQbk%2Fa%2BvyUEwd%2BOcWA53qkW%2FeM%2FKVAGgBQ%3D&reserved=0>
*External Email Warning!* Use caution before clicking links or opening attachments.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BvNYFUW9IImZyq44CSQVIOs3f6Uy%2BL80tySBEwraWQ0%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EsYB36BkS3xryLcLbVSsj2HsoQruvi4zfTF%2Fh58aXdQ%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C7f3b7f7db2cf411828e508db345d1aba%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161346727800365%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Iyw1mQXzwgQbk%2Fa%2BvyUEwd%2BOcWA53qkW%2FeM%2FKVAGgBQ%3D&reserved=0>
*External Email Warning!* Use caution before clicking links or opening attachments.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Attila, Ha! OK, that’s very interesting, this is totally non-obvious (and non-orthogonal to the ca-dir() option) from the manual descriptions ;), but cool that it can be used as a workaround. Not exactly sure how I’d wrap all of key-file(), cert-file(), and ca-dir() (all certs) values into a single pfx file? Do you happen to know how this ca be done (with openssl presumably)? Thanks for all of this, -David From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Attila Szakács Sent: Tuesday, April 04, 2023 12:23 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] TLS "trusted-dn" Question Hi David, I see, thanks. We test it before merging, so there is no need to test it for us. I was just asking, because some folks want to try the feature out themselves before the stable release, to make sure it works. On another note, the good news is that the pkcs12-file() option already had this feature sincs 3.12.1. So if you can wrap it in a pfx file, and use the pkcs12-file() option, the certificate_authorities field will be filled, like you expect it to be. Screenshot from wireshark (note the pkcs hint): [cid:image001.png@01D966D4.2385A000] Cheers, Attila On Mon, Apr 3, 2023 at 8:37 PM David Hauck <davidh@netacquire.com<mailto:davidh@netacquire.com>> wrote: Hi Attila, Great, thx for working on this! I think if would be best if we got back to this after the merge to main is complete and a new release is generated. I’m running this on a custom distro so I will need to work with the distro vendor to get this integrated before I can get a runtime image that will work on my test systems. It’s also feasible for me to run a common distro (Ubuntu or Fedora derivative) as a VM for testing, but this also will take some setting up. Let me know if you’re really stuck getting this tested and then I can try to rig something up here. Thanks again, -David PS: Ultimately moving to the current release (with this feature added) will involve more work for us to validate, given the existing v3.31.2 runtimes. This includes (potentially) work to upgrade the configuration. Can you say anything about what might be involved in upgrading a (fairly generic, but fairly intricate) v3.31.2 configuration to v4.x.x? From: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> On Behalf Of Attila Szakács Sent: Monday, April 03, 2023 9:04 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] TLS "trusted-dn" Question I have opened a PR: https://github.com/syslog-ng/syslog-ng/pull/4412<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fpull%2F4412&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196468975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n8zSK3CinNrU1hxRyXJNyiH6KoPyIvu%2BevI%2Bf217zRs%3D&reserved=0> :) On Mon, Apr 3, 2023 at 2:36 PM Attila Szakács <attila.szakacs@axoflow.com<mailto:attila.szakacs@axoflow.com>> wrote: Thanks! I will try to implement it this week, or if I won't have the time for it, I will create a feature request for it. In the meantime, I would like to ask: will there be any way you can try out the new feature before a stable release? I can provide you deb or rpm packages or a container image manually, or when we merge it to master, it will be available in our nightly APT repo and nightly docker image. I can provide you a patch, if you are building locally, but I am afraid that the change won't trivially apply to 3.31, as there have been modifications around TLS since then. Does any of this work for you? Cheers, Attila On Thu, Mar 30, 2023 at 5:32 PM David Hauck <davidh@netacquire.com<mailto:davidh@netacquire.com>> wrote: Hi Attila, The trusted-dn() option is used for an additional verification step to reject clients/servers Ah, OK, yes, I think I misread (or misinterpreted) this. I get how this is used now, thx. Could you kindly confirm that this is what you are looking for? Yes, exactly. This is similar to what (for e.g.) the SSLCACertificate{File|Path} mod_ssl directives are used for with the Apache HTTP Server and its HTTPS operation (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fhttpd.apache.org%2Fdocs%2F2.4%2Fmod%2Fmod_ssl.html&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r%2FpOgIdE9KCOmVt24mjIe33PrLiQAEtfy%2Fx7DkPUt3U%3D&reserved=0>). Without this connecting clients aren’t given any hints that can help them provide a proper client certificate (when they otherwise have many to choose from, each possibly signed by different CAs). Thanks, -David From: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> On Behalf Of Attila Szakács Sent: Thursday, March 30, 2023 3:12 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] TLS "trusted-dn" Question Hi David, The trusted-dn() option is used for an additional verification step to reject clients/servers, which provide a cert having such a subject field that does not match with any of the patterns set in trusted-dn(). Unfortunately, I think that the first sentence in the documentation is a bit misleading: Description: To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. For example, using trusted-dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state. If I understand correctly, what you would like to achieve is defined in https://www.ietf.org/rfc/rfc5246.txt<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc5246.txt&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mUGsqihLrqUcVFN5Le59WoZ7EKjX15jF0UDUYbMjTz0%3D&reserved=0> -> 7.4.4. Certificate Request: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. This is not implemented in syslog-ng, yet, but it could be done easily with SSL_set_client_CA_list()<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FSSL_get0_CA_list.html&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YOSL6qtr6Lc%2B8Gc07Q%2Bp1z%2FSKboCrMHbNodKYbLMuNw%3D&reserved=0>: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. Could you kindly confirm that this is what you are looking for? Cheers, Attila On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh@netacquire.com<mailto:davidh@netacquire.com>> wrote: Hi, I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates. I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server): TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 58 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 54 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Distinguished Names Length: 0 <----- always '0' In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed. Here's the syslog-ng.conf entry for these sources: source s_515_tls { network( transport(tls) port(515) ip-protocol(6) tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer") peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fnetacquire.com%2F&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MW5SVg9UKqXz%2BOysZXoUee%2FdPJU3JxKeuBwEHwi0TGo%3D&reserved=0>")) ); }; I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging. I figure I must be missing something obvious ;). Any ideas? Here's my syslog-ng version info: [logdest:~]# syslog-ng --version syslog-ng 3 (3.31.2) Config version: 3.29 Installer-Version: 3.31.2 Revision: Compile-Date: Nov 9 2021 12:52:59 Module-Directory: /usr/lib/syslog-ng Module-Path: /usr/lib/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Systemd: off Thanks, -David ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dwVeFtgeEpvoSt5gaj6RV9%2BT8OOI%2F4FhAS%2BzKvRJqfc%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HBmtiIwisiVyM%2FKntGbvwbARNMiE5z6Fg4M4MeL3lB4%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Stui06kE%2BfBiCsPLgcSRWOqQdm5qwtBYoj1aDs5Xs8c%3D&reserved=0> External Email Warning! Use caution before clicking links or opening attachments. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dwVeFtgeEpvoSt5gaj6RV9%2BT8OOI%2F4FhAS%2BzKvRJqfc%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HBmtiIwisiVyM%2FKntGbvwbARNMiE5z6Fg4M4MeL3lB4%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Stui06kE%2BfBiCsPLgcSRWOqQdm5qwtBYoj1aDs5Xs8c%3D&reserved=0> External Email Warning! Use caution before clicking links or opening attachments. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dwVeFtgeEpvoSt5gaj6RV9%2BT8OOI%2F4FhAS%2BzKvRJqfc%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HBmtiIwisiVyM%2FKntGbvwbARNMiE5z6Fg4M4MeL3lB4%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Cdavidh%40netacquire.com%7C77ede0a82c304ab0d7cd08db34dd80f6%7Cec65e18eede24cedbdab49355e3f602d%7C0%7C0%7C638161898196625178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Stui06kE%2BfBiCsPLgcSRWOqQdm5qwtBYoj1aDs5Xs8c%3D&reserved=0> External Email Warning! Use caution before clicking links or opening attachments.
Hi,
Not exactly sure how I’d wrap all of key-file(), cert-file(), and ca-dir() (all certs) values into a single pfx file? Do you happen to know how this ca be done (with openssl presumably)?
I usually do this with the following openssl command: |openssl pkcs12 -export -inkey my.key -in my.crt -certfile ca.crt -out my.p12| -- László Várady|| || ||
Hi László, Great, thx, I'll give this a try too (so the CA bundle must already exist - no support for using the target as defined by ca-dir()?). Regards, -David On Tuesday, April 04, 2023 1:43 PM, László Várady <annonameus@gmail.com> wrote:
Hi,
Not exactly sure how I’d wrap all of key-file(), cert-file(), and ca-dir() (all certs) values into a single pfx file? Do you happen to know how this ca be done (with openssl presumably)?
I usually do this with the following openssl command:
|openssl pkcs12 -export -inkey my.key -in my.crt -certfile ca.crt -out my.p12|
-- László Várady||
Hi, Just confirming that this option works fine too. Thx again for pointing this out. -David
-----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of David Hauck Sent: Tuesday, April 04, 2023 5:22 PM To: László Várady <annonameus@gmail.com>; Syslog-ng users' and developers' mailing list <syslog- ng@lists.balabit.hu> Subject: Re: [syslog-ng] TLS "trusted-dn" Question
Hi László,
Great, thx, I'll give this a try too (so the CA bundle must already exist - no support for using the target as defined by ca-dir()?).
Regards, -David
On Tuesday, April 04, 2023 1:43 PM, László Várady <annonameus@gmail.com> wrote:
Hi,
Not exactly sure how I'd wrap all of key-file(), cert-file(), and ca-dir() (all certs) values into a single pfx file? Do you happen to know how this ca be done (with openssl presumably)?
I usually do this with the following openssl command:
|openssl pkcs12 -export -inkey my.key -in my.crt -certfile ca.crt -out my.p12|
-- László Várady||
_ Member info: https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.bal... listinfo%2Fsyslog- ng&data=05%7C01%7Cdavidh%40netacquire.com%7C6491ba377e3e401ef75b08db356bc7ce%7Cec65e 18eede24cedbdab49355e3f602d%7C0%7C0%7C638162510235159800%7CUnknown%7CTWFpbGZsb3d8 eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s data=XwSVBtIvUh7X%2FFQPqqsEBHHtWvE%2ByVyNBL01Ru4m8t4%3D&reserved=0 Documentation: https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabi... 2Fdocumentation%2F%3Fproduct%3Dsyslog- ng&data=05%7C01%7Cdavidh%40netacquire.com%7C6491ba377e3e401ef75b08db356bc7ce%7Cec65e 18eede24cedbdab49355e3f602d%7C0%7C0%7C638162510235159800%7CUnknown%7CTWFpbGZsb3d8 eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s data=Srn8suqa2kdrgDrRx0cYKlDTTF%2F7vq78h7HDh0XRCB0%3D&reserved=0 FAQ: https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.balabi... slog-ng- faq&data=05%7C01%7Cdavidh%40netacquire.com%7C6491ba377e3e401ef75b08db356bc7ce%7Cec65 e18eede24cedbdab49355e3f602d%7C0%7C0%7C638162510235159800%7CUnknown%7CTWFpbGZsb3 d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C &sdata=rxdJNwD3EbcdEy7e3lqVOh1a0vTpKYFi3%2BdOj%2B2SH1o%3D&reserved=0
External Email Warning! Use caution before clicking links or opening attachments.
participants (3)
-
Attila Szakács
-
David Hauck
-
László Várady