[syslog-ng] TLS - Mutual authentication issue

Hahusseau, Thomas thomas.hahusseau at eads.com
Thu Jun 4 16:35:31 CEST 2009 

Hi,

 

I'm using syslog-ng OSE with encrypted message transport thanks to TLS for
few week. Now I try to activate the mutual authentication option. I have
several issues with the TLS mutual authentication logs error :

Jun  4 16:01:31 desktop syslog-ng[26644]: SSL error while reading stream;
tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
Jun  4 16:01:31 desktop syslog-ng[26644]: I/O error occurred while reading;
fd='14', error='Connection reset by peer (104)'
Jun  4 16:01:31 desktop syslog-ng[26644]: Syslog connection closed; fd='14',
client='AF_INET(10.254.1.172:43751)', local='AF_INET( <http://0.0.0.0:9999>
0.0.0.0:9999)

 

This is samples of config file:

Server :

source s_net_tls {
    tcp(port(9999)
    tls(key_file("/etc/pfc/credentials/Server/server.key")
    cert_file("/etc/pfc/credentials/Server/server.pem")
    ca_dir("/etc/pfc/credentials/CA/")
  #  peer_verify(optional-untrusted)
    peer_verify(required-trusted)
) );
}; 

 

Client :

destination d_remote_server_tls {
    tcp("10.254.1.141" port(9999)
    tls(ca_dir("/etc/pfc/credentials/CA")
    key_file("/etc/pfc/credentials/Client/client.key")
    cert_file("/etc/pfc/credentials/Client/client.pem")
    peer_verify(required-trusted)
#    peer_verify(optional-untrusted)
));
};

 

here is how I generated my CA certificate, server and client certificate :

openssl genrsa 1024 > CA/ca.key
openssl req -new -x509 -days 365 -key CA/ca.key -out CA/ca.cert
cat CA/ca.cert CA/ca.key > CA/ca.pem

openssl genrsa 1024 > Client/client.key
openssl req -new -key Client/client.key -out Client/client.csr
openssl x509 -req -days 365 -in Client/client.csr -CA CA/ca.cert -CAkey
CA/ca.key -set_serial 01 -out Client/client.cert
cat Client/client.cert Client/client.key > Client/client.pem

openssl genrsa 1024 > Server/server.key
openssl req -new -key Server/server.key -out Server/server.csr
openssl x509 -req -days 365 -in Server/server.csr -CA CA/ca.cert -CAkey
CA/ca.key -set_serial 01 -out Server/server.cert
cat Server/server.cert Server/server.key > Server/server.pem

 

Of course I done the link with 

Openssl x509 -noout -hash -in ca.pem

Ln -s ca.pem XXXX

 

If anyone can help me, or give a step by step procedure that works. I also
tried the procedure described in the "Syslog-nd admin guide" it doesn't work
too.

 

Regards

Thomas

-------------------

Thomas Hahusseau

Apprenti ingénieur

EADS - DS / ENST Bretagne

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090604/edbeace0/attachment.htm

More information about the syslog-ng mailing list