Hi everyone, I am currently implementing central syslog server using syslog-ng and I have encontered some problems when configuring mutual TLS authentication. On client machine I keep getting the following errors: Mar 18 12:54:22 machine syslog-ng[5432]: Syslog connection established; fd='9', server='AF_INET(xxx.113.161.23:514)', local='AF_INET(0.0.0.0:0)' Mar 18 12:54:22 machine syslog-ng[5432]: Certificate validation failed; subject='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', issuer='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', error='self signed certificate in certificate chain', depth='3' Mar 18 12:54:22 machine syslog-ng[5432]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Mar 18 12:54:22 machine syslog-ng[5432]: I/O error occurred while writing; fd='9', error='Broken pipe (32)' Mar 18 12:54:22 machine syslog-ng[5432]: Syslog connection broken; fd='9', server='AF_INET(xxx.113.161.23:514)', time_reopen='60' This is the exact same problem as in the following thread: https://lists.balabit.hu/pipermail/syslog-ng/2011-January/015613.html I have verified the functionality without TLS settings and everything works perfectly, so there is no problem on the way (firewall, etc.). I studied carefully the manual and everything is as it is supposed to be: CLIENT MACHINE -------------- OS - Debian 6.0 Squeeze SYSLOG-NG VERSION: client:# syslog-ng --version syslog-ng 3.1.3 Installer-Version: 3.1.3 Revision: ssh +git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3 Compile-Date: Feb 1 2011 19:36:27 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on DESTINATION CONFIGURATION FROM SYSLOG-NG.CONF: destination d_net { tcp("xxx.113.161.23" port(514) tls( key_file("/etc/ssl/private/client.company.cz-nopass.key") cert_file("/etc/ssl/certs/client.company.cz.pem") ca_dir("/etc/ssl/trusted_ca")) ); }; CA HASH: client:# openssl x509 -in /etc/ssl/trusted_ca/tcs.pem -noout -hash 9df51c42 CA CERTIFICATE DIRECTORY: client:# ll /etc/ssl/trusted_ca total 12 lrwxrwxrwx 1 root root 27 Mar 18 12:30 9df51c42.0 -> /etc/ssl/trusted_ca/tcs.pem -rw-r--r-- 1 root root 1655 Mar 18 12:29 tcs.pem VALIDATE CERTIFICATE AGAINST CA: client:# openssl verify -CAfile /etc/ssl/trusted_ca/9df51c42.0 -verbose /etc/ssl/certs/client.company.cz.pem /etc/ssl/certs/client.company.cz.pem: OK SERVER MACHINE -------------- OS - Debian 6.0 Squeeze SYSLOG-NG VERSION: server:# syslog-ng --version syslog-ng 3.1.3 Installer-Version: 3.1.3 Revision: ssh +git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3 Compile-Date: Feb 1 2011 19:36:27 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on SOURCE CONFIGURATION FROM SYSLOG-NG.CONF: source s_net { tcp( ip(0.0.0.0) port(514) tls( key_file("/etc/ssl/private/server.company.cz-nopass.key") cert_file("/etc/ssl/certs/server.company.cz.pem") ca_dir("/etc/ssl/trusted_ca")) ); }; CA HASH: server:# openssl x509 -in /etc/ssl/trusted_ca/tcs.pem -noout -hash 9df51c42 CA CERTIFICATE DIRECTORY: server:# ll /etc/ssl/trusted_ca total 12 lrwxrwxrwx 1 root root 27 Mar 18 12:30 9df51c42.0 -> /etc/ssl/trusted_ca/tcs.pem -rw-r--r-- 1 root root 1655 Mar 18 12:29 tcs.pem VALIDATE CERTIFICATE AGAINST CA: server:# openssl verify -CAfile /etc/ssl/trusted_ca/9df51c42.0 -verbose /etc/ssl/certs/server.company.cz.pem /etc/ssl/certs/server.company.cz.pem: OK Certificates for the CA are the same on both machines. I tried to put either the whole chain up to the root certificate, or the last certificate, but the error keeps to appear. It the thread mentioned above the community member Baszi suggested following: ------ It's the whole point in certificate validation to use self-signed CA certificates. (after all, a centrally trusted CA is self-signed too). Try validating that your directory is correct usign "openssl verify", once that validates the cert, syslog-ng should too. -- Bazsi ------- What is meant by validate the directory, I do not understand that. As I said, I succefully validated both client and server certificate against the CA certificate using openssl command, but syslog-ng is still complaining. Am I missing something? I will gladly provide more information, if needed. Thank you for your time Regards Honza Mach
Hi Honza, On 18.03.2011, at 14:01, Honza Mach wrote:
Mar 18 12:54:22 machine syslog-ng[5432]: Certificate validation failed; subject='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', issuer='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', error='self signed certificate in certificate chain', depth='3'
this is your problem. It's a bit difficult to judge from far, but did you properly install the CA certificate the server uses on the client? If so, did you create the hash and a symbolic link from your CAdir to the CA certificate? In my test installation, the general setup for the CA certificate is as follows: destination d_remote { tcp( "server" port( 601 ) tls( key_file("/opt/syslog-ng/etc/ssl/client_key.pem") cert_file("/opt/syslog-ng/etc/ssl/client_crt.pem") ca_dir( "/opt/syslog-ng/etc/ssl" ) ) ); }; You may ignore key_file and cert_file if the server is not expecting the client to provide a certificate. The relevant part is ca_dir. Here are the CA certificate and a link to it which is named after the CA certificate's hash with a trailing '.0': [root@client etc]# ls -la /opt/syslog-ng/etc/ssl total 24 drwxr-xr-x 2 root root 4096 Mar 9 01:10 . drwxr-xr-x 4 root root 4096 Mar 9 01:15 .. lrwxrwxrwx 1 root root 10 Mar 9 01:10 39118da4.0 -> ca_crt.pem -rw-r--r-- 1 root root 2049 Mar 9 01:05 ca_crt.pem -rw-r--r-- 1 root root 4409 Mar 9 01:05 client_crt.pem -r-------- 1 root root 1679 Mar 9 01:05 client_key.pem You get the hash using openssl: [root@client etc]# openssl x509 -noout -hash -in /opt/syslog-ng/etc/ssl/ca_crt.pem 39118da4 I am using this setup with 3.2.2 and 3.1.4 on several dozen machines without any problems. Without the hash link, I get exactly the same error you are seeing: Mar 18 20:05:07 client syslog-ng[12819]: Certificate validation failed; subject='Root CA', issuer='Root CA', error='self signed certificate in certificate chain', depth='1' Best regards, Peter.
participants (2)
-
Honza Mach
-
Peter Eckel