[syslog-ng] Authentication problem

Fabien Bagard fabien.bagard at parrot.com
Thu Jan 6 16:03:24 CET 2011 

On 01/06/2011 03:05 PM, SZALAY Attila wrote:
> Hi!
>
> On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
>    
>> The CA which was used to sign these certificates is world readable and
>> located in /etc/syslog-ng/certs/CA/
>>
>> This setup works : server is getting client's logs, and cypherred on
>> the wire.
>>
>> When I replace peer_verify(optional-untrusted) by
>> peer_verify(required-trusted), in order to get mutual authentication,
>> I get this error :
>>      
> The syslog-ng do not read all files from the CA dir. It search for CA
> certificates with the hash value of the subject. So you should rename
> the CA files (or create a symlink to it) to the mentioned hash value.
> (And the extension should be .0)
>
> The hash value can be calculated with
> openssl x509 -in<filename>  -noout -hash
> command.
>
> Or you can create the symbolic link(s) with the c_rehash command if it
> available (this command is part of the openssl)
>
>    

Thanks for your quick reply,

I tried this already, and just tried again. To be sure I linked in
/etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ :

openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash
8fa7a206
ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0
ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0
/etc/init.d/syslog-ng restart
Stopping system logging: syslog-ng.
Starting system logging: syslog-ng.

On both client and server. Now I get :

Jan  6 15:11:51 client syslog-ng[11528]: Syslog connection established;
fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)'

Jan  6 15:11:51 client syslog-ng[11528]: Certificate validation failed;
subject='emailAddress=email at address.com, CN=Company Root CA, OU=Org
Unit, O=Company Root CA, L=City, ST=Country, C=ID',
issuer='emailAddress=email at address.com, CN=Company Root CA, OU=Org Unit,
O=Company Root CA, L=City, ST=Country, C=ID', error='self signed
certificate in certificate chain', depth='1'

Jan  6 15:11:51 client syslog-ng[11528]: SSL error while writing stream;
tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed'

Jan  6 15:11:51 client syslog-ng[11528]: I/O error occurred while
writing; fd='9', error='Broken pipe (32)'

Jan  6 15:11:51 client syslog-ng[11528]: Syslog connection broken;
fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60'


My question : How can I use a self-signed CA ?

-- 
Fabien Bagard
IT Department
tel + 33 (0)1 48 03 60 40

--------------------------------------------------------------------------------
Parrot SA
174, Quai de Jemmapes | 75010 Paris - France
tel + 33 (0)1 48 03 60 60 | fax + 33 (0)1 48 03 70 08
http://www.parrot.com
--------------------------------------------------------------------------------

This e-mail message and any attached document(s) are for the sole use of
the intended recipient(s)and may contain confidential and legally
privileged information.
Any unauthorized review, copy, use and/or disclosure is prohibited.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original.

More information about the syslog-ng mailing list