[syslog-ng] TLS - Mutual authentication issue

Sun Jun 7 11:05:26 CEST 2009

On Thu, 2009-06-04 at 16:35 +0200, Hahusseau, Thomas wrote:
> Hi,
> 
>  
> 
> I’m using syslog-ng OSE with encrypted message transport thanks to TLS
> for few week. Now I try to activate the mutual authentication option.
> I have several issues with the TLS mutual authentication logs error :
> 
> Jun  4 16:01:31 desktop syslog-ng[26644]: SSL error while reading
> stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca'
> Jun  4 16:01:31 desktop syslog-ng[26644]: I/O error occurred while
> reading; fd='14', error='Connection reset by peer (104)'
> Jun  4 16:01:31 desktop syslog-ng[26644]: Syslog connection closed;
> fd='14', client='AF_INET(10.254.1.172:43751)',
> local='AF_INET(0.0.0.0:9999)
> 
>  
> 

Well, the error message 'tlsv1 alert unknown ca' means that the peer was
not able to validate the CA that was used to sign this side's
certificate. I don't know if the host "desktop" is your client or
server.

Try running:

openssl verify -CApath /etc/pfc/credentials/CA <path-to-other-cert>

> This is samples of config file:
> 
> Server :
> 
> source s_net_tls {
>     tcp(port(9999)
>     tls(key_file("/etc/pfc/credentials/Server/server.key")
>     cert_file("/etc/pfc/credentials/Server/server.pem")
>     ca_dir("/etc/pfc/credentials/CA/")
>   #  peer_verify(optional-untrusted)
>     peer_verify(required-trusted)
> ) );
> }; 
> 
>  
> 
> Client :
> 
> destination d_remote_server_tls {
>     tcp("10.254.1.141" port(9999)
>     tls(ca_dir("/etc/pfc/credentials/CA")
>     key_file("/etc/pfc/credentials/Client/client.key")
>     cert_file("/etc/pfc/credentials/Client/client.pem")
>     peer_verify(required-trusted)
> #    peer_verify(optional-untrusted)
> ));
> };
> 
>  
> 
> here is how I generated my CA certificate, server and client
> certificate :
> 
> openssl genrsa 1024 > CA/ca.key
> openssl req -new -x509 -days 365 -key CA/ca.key -out CA/ca.cert
> cat CA/ca.cert CA/ca.key > CA/ca.pem

you distribute the private key for your CA? that's not too wise and it
shouldn't be needed at all for certificate validation.

Also, is your CA key really a CA? I mean the basicConstraints extension
should contain "CA:TRUE"

> 
> openssl genrsa 1024 > Client/client.key
> openssl req -new -key Client/client.key -out Client/client.csr
> openssl x509 -req -days 365 -in Client/client.csr -CA CA/ca.cert
> -CAkey CA/ca.key -set_serial 01 -out Client/client.cert
> cat Client/client.cert Client/client.key > Client/client.pem
> 
> openssl genrsa 1024 > Server/server.key
> openssl req -new -key Server/server.key -out Server/server.csr
> openssl x509 -req -days 365 -in Server/server.csr -CA CA/ca.cert
> -CAkey CA/ca.key -set_serial 01 -out Server/server.cert
> cat Server/server.cert Server/server.key > Server/server.pem

also syslog-ng looks for the key file and cert file in separate files,
you don't need to copy them into the same file.

e.g. cert_file should point to server.cert and key_file to server.key,
you don't need a pem file.

> 
>  
> 
> Of course I done the link with 
> 
> Openssl x509 –noout –hash –in ca.pem
> 
> Ln –s ca.pem XXXX
> 
>  
> 
> If anyone can help me, or give a step by step procedure that works. I
> also tried the procedure described in the “Syslog-nd admin guide” it
> doesn’t work too.

> 
-- 
Bazsi