[syslog-ng] problem configuring syslog-ng with TLS

Charles Jennings jennings.charles.e.security at gmail.com
Thu Jul 16 17:43:01 CEST 2009


Not to knock syslog-ng tls - I also had problems - so I turned to this
solution:  syslog-ng over stunnel:
 
http://www.sun.com/bigadmin/features/articles/syslog_ng.jsp
 
Regards.

  _____  

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of fredzy padzy
Sent: Thursday, July 16, 2009 10:28 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] problem configuring syslog-ng with TLS


Hi Mohsen

I'm having the same kind of problem with the simple authentication (IE not
mutual one)

The error is the same one (and sometime turne into a tlsv1 alert unknow ca),
and i think syslog-ng client isn't able to read the cacert.pem file, from
the CA that signed the certificate sent by the syslog-ng server ... quite
strange moreover the rights and conf looks good

Anyway, i'm surprised with your client conf :
Server config:
destination d_tlsserver {
   tcp("192.168.13.39" port(1999)
     tls(ca_dir("/opt/syslog-ng/certs")
     peer_verify(required-trusted)
   ));
};
Did you try without this line ?

Also check your client logs, i've got some "unable to get local issuer
certificate" in my /var/adm/messages

bye


2009/7/16 Mohsen Alimomeni <m.alimomeni at gmail.com>


Hi everyone,
I want to configure syslog-ng with TLS, but there are problems in client
connecting to server. This is the error in client side:
{

Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up;
version='3.0.3'
Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection established;
fd='7', server='AF_INET(192.168.13.39:1999)', local='AF_INET(0.0.0.0:0)'
Jul 16 17:04:10 momeni syslog-ng[31084]: Certificate validation failed;
subject='emailAddress=momeni at amnafzar.com, CN=momeni, ..to the end! ',
error='invalid CA certificate', depth='1'
Jul 16 17:04:10 momeni syslog-ng[31084]: SSL error while writing stream;
tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed'
Jul 16 17:04:10 momeni syslog-ng[31084]: I/O error occurred while writing;
fd='7', error='Broken pipe (32)'
Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection broken; fd='7',
server='AF_INET(192.168.13.39:1999)', time_reopen='60'
}

To make sure my certificates are valid I run two commands:
On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem -cert
Client/clientcert.pem -key Client/clientkeye
em -accept 8080

On client: openssl s_client -connect 192.168.13.39:8080
The result on the client is the server certificate and the last line is:
{
Verify return code: 19 (self signed certificate in certificate chain)
}

The client and server are both syslog-ng_3.0.2 (and 3.0.3) in ubuntu. These
are the steps I configured the client and server:
I used the script CA.sh to genereate X.509 certificates. I created a cacert
using the command:
       CA.sh -newca
created the ca files :cacert.pem, ..
created a request:
       CA.sh -newreq
rename the files created to syslog_cert.pem and syslog_ket.pem
signed it with the ca:
       CA.sh -sign
Then I copied the cacert.pem file to client and created it's hash as
explained in syslog-ng documentation.

configuration files:

Client config:
destination d_tlsserver {
   tcp("192.168.13.39" port(1999)
     tls(ca_dir("/opt/syslog-ng/certs")
     peer_verify(required-trusted)
   ));
};


Server config:
source rezvani_tls {
   tcp(ip(0.0.0.0) port(1999) max-connections(300)
     tls(key_file("/opt/certs/newcerts/syslogs_key.pem")
     cert_file("/opt/certs/newcerts/syslogs_cert.pem")
     peer_verify(optional-untrusted)
  ));
};



-- 
__ \ /_\\_-//_ Mohsen Alimomeni



____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090716/37ccff91/attachment-0001.htm 


More information about the syslog-ng mailing list