[syslog-ng] Question about verisign certs
Balazs Scheidler
bazsi at balabit.hu
Fri Dec 11 08:06:30 CET 2009
On Wed, 2009-12-09 at 16:30 -0500, Jimmy McDonald wrote:
> The verify works fine.
>
> The client gives the following error now that things have been
> configured to get the verify to return OK
>
>
>
> tss4s003 syslog-ng[9739]: Syslog connection accepted; fd='8',
> client='AF_INET(10.139.64.126:3766)',
> local='AF_INET(xx.xx.xx.xx:8514)'
>
> Dec 9 16:24:25 tss4s003 syslog-ng[9739]: Certificate validation
> failed; subject='OU=Class 3 Public Primary Certification Authority,
> O=VeriSign\, Inc., C=US', issuer='OU=Class 3 Public Primary
> Certification Authority, O=VeriSign\, Inc., C=US', error='invalid CA
> certificate', depth='2'
>
> Dec 9 16:24:25 tss4s003 syslog-ng[9739]: SSL error while reading
> stream; tls_error='SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> certificate returned'
>
> Dec 9 16:24:25 tss4s003 syslog-ng[9739]: I/O error occurred while
> reading; fd='8', error='Connection reset by peer (131)'
>
> Dec 9 16:24:25 tss4s003 syslog-ng[9739]: Syslog connection closed;
> fd='8', client='AF_INET(10.139.64.126:3766)', local='AF_4:27:03 PM:
> Chris: INET(xx.xx.xx.xx:8514)'
>
>
> Sent from my iPhone... So expect typos.
Can you enable debug messages for syslog-ng using the -d command line
option? Invalid CA certificate is set by syslog-ng if it doesn't find a
basicConstraints.CA==TRUE extension in a non-leaf certificate.
if (ok && ctx->error_depth != 0 && (ctx->current_cert->ex_flags & EXFLAG_CA) == 0)
{
msg_debug("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);
ctx->error = X509_V_ERR_INVALID_CA;
return 0;
}
If you enable debug, you could confirm that this is the case. Alternatively you
might want to check your complete certificate chain, that basicConstraints is
properly set in each of them (TRUE in the root and subordinate CA certificates,
and FALSE in the leaf one).
>
> On Dec 6, 2009, at 10:24 AM, Balazs Scheidler <bazsi at balabit.hu>
> wrote:
>
> > On Fri, 2009-12-04 at 11:20 -0500, Jimmy McDonald wrote:
> > > I have syslog-ng installed and configured for mutual
> > > authentication.
> > > When the client was using a self signed cert it worked. The client
> > > now
> > > has a verisign cert.
> > >
> > > Imported the CA and an intermediate cert and the public cert so
> > > the
> > > chain is complete but the error on authentication says: invalid CA
> > > certificate, depth=2
> > >
> > > I have tried putting the pub cert in cert.d with the ca and
> > > intermediate in ca.d. I also tried putting the intermediate in
> > > cert.d
> > >
> > > I made a hash for the ca and the intermediate.
> > >
> > > I'm not really sure what else to try. Any help would be greatly
> > > appreciated.
> >
> > Can you ensure that "openssl verify" validates your cert in case
> > syslog-ng doesn't?
> >
> > --
> > Bazsi
> >
> >
> > ______________________________________________________________________________
>
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Bazsi
More information about the syslog-ng
mailing list