[syslog-ng] Question about verisign certs

Jimmy McDonald isleofdogs at gmail.com
Wed Dec 9 22:30:58 CET 2009 

The verify works fine.

The client gives the following error now that things have been  
configured to get the verify to return OK

tss4s003 syslog-ng[9739]: Syslog connection accepted; fd='8',  
client='AF_INET(10.139.64.126:3766)', local='AF_INET(xx.xx.xx.xx:8514)'
Dec  9 16:24:25 tss4s003 syslog-ng[9739]: Certificate validation  
failed; subject='OU=Class 3 Public Primary Certification Authority,  
O=VeriSign\, Inc., C=US', issuer='OU=Class 3 Public Primary  
Certification Authority, O=VeriSign\, Inc., C=US', error='invalid CA  
certificate', depth='2'
Dec  9 16:24:25 tss4s003 syslog-ng[9739]: SSL error while reading  
stream; tls_error='SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no  
certificate returned'
Dec  9 16:24:25 tss4s003 syslog-ng[9739]: I/O error occurred while  
reading; fd='8', error='Connection reset by peer (131)'
Dec  9 16:24:25 tss4s003 syslog-ng[9739]: Syslog connection closed;  
fd='8', client='AF_INET(10.139.64.126:3766)', local='AF_4:27:03 PM:  
Chris: INET(xx.xx.xx.xx:8514)'

Sent from my iPhone... So expect typos.

On Dec 6, 2009, at 10:24 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Fri, 2009-12-04 at 11:20 -0500, Jimmy McDonald wrote:
>> I have syslog-ng installed and configured for mutual authentication.
>> When the client was using a self signed cert it worked. The client  
>> now
>> has a verisign cert.
>>
>> Imported the CA and an intermediate cert and the public cert so the
>> chain is complete but the error on authentication says: invalid CA
>> certificate, depth=2
>>
>> I have tried putting the pub cert in cert.d with the ca and
>> intermediate in ca.d. I also tried putting the intermediate in cert.d
>>
>> I made a hash for the ca and the intermediate.
>>
>> I'm not really sure what else to try. Any help would be greatly
>> appreciated.
>
> Can you ensure that "openssl verify" validates your cert in case
> syslog-ng doesn't?
>
> -- 
> Bazsi
>
>
> ______________________________________________________________________________
 


> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091209/1827d4a9/attachment-0001.htm

More information about the syslog-ng mailing list