[syslog-ng] Authentication problem

Thu Jan 13 16:52:20 CET 2011

On Thu, 2011-01-06 at 16:03 +0100, Fabien Bagard wrote:
> On 01/06/2011 03:05 PM, SZALAY Attila wrote:
> > Hi!
> >
> > On Thu, 2011-01-06 at 14:51 +0100, Fabien Bagard wrote:
> >    
> >> The CA which was used to sign these certificates is world readable and
> >> located in /etc/syslog-ng/certs/CA/
> >>
> >> This setup works : server is getting client's logs, and cypherred on
> >> the wire.
> >>
> >> When I replace peer_verify(optional-untrusted) by
> >> peer_verify(required-trusted), in order to get mutual authentication,
> >> I get this error :
> >>      
> > The syslog-ng do not read all files from the CA dir. It search for CA
> > certificates with the hash value of the subject. So you should rename
> > the CA files (or create a symlink to it) to the mentioned hash value.
> > (And the extension should be .0)
> >
> > The hash value can be calculated with
> > openssl x509 -in<filename>  -noout -hash
> > command.
> >
> > Or you can create the symbolic link(s) with the c_rehash command if it
> > available (this command is part of the openssl)
> >
> >    
> 
> Thanks for your quick reply,
> 
> I tried this already, and just tried again. To be sure I linked in
> /etc/syslog-ng/certs/CA/ and in /etc/ssl/certs/ :
> 
> openssl x509 -in /etc/syslog-ng/certs/CA/ca.crt -noout -hash
> 8fa7a206
> ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/syslog-ng/certs/CA/8fa7a206.0
> ln -s /etc/syslog-ng/certs/CA/ca.crt /etc/ssl/certs/8fa7a206.0
> /etc/init.d/syslog-ng restart
> Stopping system logging: syslog-ng.
> Starting system logging: syslog-ng.
> 
> On both client and server. Now I get :
> 
> Jan  6 15:11:51 client syslog-ng[11528]: Syslog connection established;
> fd='9', server='AF_INET(192.168.0.42:4242)', local='AF_INET(0.0.0.0:0)'
> 
> Jan  6 15:11:51 client syslog-ng[11528]: Certificate validation failed;
> subject='emailAddress=email at address.com, CN=Company Root CA, OU=Org
> Unit, O=Company Root CA, L=City, ST=Country, C=ID',
> issuer='emailAddress=email at address.com, CN=Company Root CA, OU=Org Unit,
> O=Company Root CA, L=City, ST=Country, C=ID', error='self signed
> certificate in certificate chain', depth='1'
> 
> Jan  6 15:11:51 client syslog-ng[11528]: SSL error while writing stream;
> tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed'
> 
> Jan  6 15:11:51 client syslog-ng[11528]: I/O error occurred while
> writing; fd='9', error='Broken pipe (32)'
> 
> Jan  6 15:11:51 client syslog-ng[11528]: Syslog connection broken;
> fd='9', server='AF_INET(192.168.0.42:4242)', time_reopen='60'
> 
> 
> My question : How can I use a self-signed CA ?
> 

It's the whole point in certificate validation to use self-signed CA
certificates. (after all, a centrally trusted CA is self-signed too).

Try validating that your directory is correct usign "openssl verify",
once that validates the cert, syslog-ng should too.

-- 
Bazsi