[syslog-ng] SSL certificate verification

Peter Eckel lists at eckel-edv.de
Tue Mar 8 21:25:07 CET 2011


Hi all, 

I am currently setting up a remote logging facility for a customer who requires encryption and mutual authentication. After having run Syslog NG over Stunnel for several years, I am looking into the option to do the same withot stunnel, by using Syslog NG with the TLS option. My current version is 3.2.2, installed from the binary provided on the Syslog NG web site, on CentOS 5.5. 



My setup on the server side (stripped to the minimum): 

source s_remote {
  tcp( ip( 192.168.42.184 ) port( 601 )
       tls( key_file("/opt/syslog-ng/etc/ssl/server_key.pem")
            cert_file("/opt/syslog-ng/etc/ssl/server_crt.pem")
            ca_dir( "/opt/syslog-ng/etc/ssl" )
            peer_verify( required-trusted )
          )
     );
};

destination d_remote {
  file( "/var/log/remote"
        owner(root)
        group(root)
        perm(0600)
      );
};

log {
  source(s_remote);
  destination(d_remote);
};



On the client side: 

source s_local {
  internal();
  unix-stream( "/dev/log" );
  file( "/proc/kmsg" );
};

destination d_remote {
  tcp( "192.168.42.184" port( 601 )
       tls( key_file("/opt/syslog-ng/etc/ssl/client1_key.pem")
            cert_file("/opt/syslog-ng/etc/ssl/client1_crt.pem")
            ca_dir( "/opt/syslog-ng/etc/ssl" ) 
          )
     );
};

log {
  source(s_local);
  destination(d_remote);
};



With the appropriate and valid client cert, it works perfrctly: 

[root at server1 ssl]# openssl x509 -noout -text < client1_crt.pem 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=xxx, OU=Client 1/emailAddress=xxx, L=xxx, ST=xxx, C=xx, CN=xxx
        Validity
            Not Before: Mar  8 15:53:24 2011 GMT
            Not After : Mar  7 15:53:24 2014 GMT
        Subject: C=xx, ST=xx, O=xx, OU=xx, CN=client1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
        ...

However, I copied over the cert of another client machine to client1, reconfigure Syslog NG to use it, and it works as well, though IMHO it shouldn't: 

[root at server1 ssl]# openssl x509 -noout -text < client2_crt.pem 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=xxx, OU=Client 2/emailAddress=xxx, L=xxx, ST=xxx, C=xx, CN=xxx
        Validity
            Not Before: Mar  8 15:54:35 2011 GMT
            Not After : Mar  7 15:54:35 2014 GMT
        Subject: C=xx, ST=xxx, O=xxx, OU=Client 2, CN=client2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
        ...



Swapping certificates (client2's instead of server's in this case) on the server breaks trust (as expected): 

Mar  8 18:19:45 client1 syslog-ng[2991]: Syslog connection established; fd='10', server='AF_INET(192.168.42.184:601)', local='AF_INET(0.0.0.0:0)'
Mar  8 18:20:13 client1 syslog-ng[2991]: Certificate subject does not match configured hostname; hostname='server', certificate='client2'
Mar  8 18:20:13 client1 syslog-ng[2991]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
Mar  8 18:20:13 client1 syslog-ng[2991]: I/O error occurred while writing; fd='10', error='Broken pipe (32)'

Doing the same on the client, however, does not. The Syslog NG server does not seem to validate the CN.



Is this expected behaviour or a bug?



Best regards, 

  Peter.


More information about the syslog-ng mailing list