[syslog-ng] problem configuring syslog-ng with TLS
Balazs Scheidler
bazsi at balabit.hu
Tue Jul 21 11:07:56 CEST 2009
On Thu, 2009-07-16 at 17:18 +0430, Mohsen Alimomeni wrote:
> Hi everyone,
> I want to configure syslog-ng with TLS, but there are problems in
> client connecting to server. This is the error in client side:
> {
> Jul 16 17:04:10 momeni syslog-ng[31084]: syslog-ng starting up;
> version='3.0.3'
> Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection
> established; fd='7', server='AF_INET(192.168.13.39:1999)',
> local='AF_INET(0.0.0.0:0)'
> Jul 16 17:04:10 momeni syslog-ng[31084]: Certificate validation
> failed; subject='emailAddress=momeni at amnafzar.com, CN=momeni, ..to the
> end! ', error='invalid CA certificate', depth='1'
> Jul 16 17:04:10 momeni syslog-ng[31084]: SSL error while writing
> stream; tls_error='SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
> Jul 16 17:04:10 momeni syslog-ng[31084]: I/O error occurred while
> writing; fd='7', error='Broken pipe (32)'
> Jul 16 17:04:10 momeni syslog-ng[31084]: Syslog connection broken;
> fd='7', server='AF_INET(192.168.13.39:1999)', time_reopen='60'
> }
>
> To make sure my certificates are valid I run two commands:
> On server: openssl s_server -CApath CA/ -CAfile CA/cacert.pem -cert
> Client/clientcert.pem -key Client/clientkeye
> em -accept 8080
does your CA certificate contain basicConstraints:CA==TRUE as an
extension? if it doesn't syslog-ng will not accept it.
if you enable "--debug" command line option you can have this debug
message for instance:
msg_debug("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);
syslog-ng also validates the DN of the certificate subject, e.g. the CN
must contain the same name as you specify as a destination in the client
config.
>
--
Bazsi
More information about the syslog-ng
mailing list