[syslog-ng] SSL certificate verification

Balazs Scheidler bazsi at balabit.hu
Tue Mar 8 21:42:43 CET 2011


On Tue, 2011-03-08 at 21:25 +0100, Peter Eckel wrote:
> Hi all, 
> 
> I am currently setting up a remote logging facility for a customer who requires encryption and mutual authentication. After having run Syslog NG over Stunnel for several years, I am looking into the option to do the same withot stunnel, by using Syslog NG with the TLS option. My current version is 3.2.2, installed from the binary provided on the Syslog NG web site, on CentOS 5.5. 
> 
> 
> 
> My setup on the server side (stripped to the minimum): 
> 
> source s_remote {
>   tcp( ip( 192.168.42.184 ) port( 601 )
>        tls( key_file("/opt/syslog-ng/etc/ssl/server_key.pem")
>             cert_file("/opt/syslog-ng/etc/ssl/server_crt.pem")
>             ca_dir( "/opt/syslog-ng/etc/ssl" )
>             peer_verify( required-trusted )
>           )
>      );
> };
> 
> destination d_remote {
>   file( "/var/log/remote"
>         owner(root)
>         group(root)
>         perm(0600)
>       );
> };
> 
> log {
>   source(s_remote);
>   destination(d_remote);
> };
> 
> 
> 
> On the client side: 
> 
> source s_local {
>   internal();
>   unix-stream( "/dev/log" );
>   file( "/proc/kmsg" );
> };
> 
> destination d_remote {
>   tcp( "192.168.42.184" port( 601 )
>        tls( key_file("/opt/syslog-ng/etc/ssl/client1_key.pem")
>             cert_file("/opt/syslog-ng/etc/ssl/client1_crt.pem")
>             ca_dir( "/opt/syslog-ng/etc/ssl" ) 
>           )
>      );
> };
> 
> log {
>   source(s_local);
>   destination(d_remote);
> };
> 
> 
> 
> With the appropriate and valid client cert, it works perfrctly: 
> 
> [root at server1 ssl]# openssl x509 -noout -text < client1_crt.pem 
> Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number: 2 (0x2)
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=xxx, OU=Client 1/emailAddress=xxx, L=xxx, ST=xxx, C=xx, CN=xxx
>         Validity
>             Not Before: Mar  8 15:53:24 2011 GMT
>             Not After : Mar  7 15:53:24 2014 GMT
>         Subject: C=xx, ST=xx, O=xx, OU=xx, CN=client1
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>         ...
> 
> However, I copied over the cert of another client machine to client1, reconfigure Syslog NG to use it, and it works as well, though IMHO it shouldn't: 
> 
> [root at server1 ssl]# openssl x509 -noout -text < client2_crt.pem 
> Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number: 3 (0x3)
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=xxx, OU=Client 2/emailAddress=xxx, L=xxx, ST=xxx, C=xx, CN=xxx
>         Validity
>             Not Before: Mar  8 15:54:35 2011 GMT
>             Not After : Mar  7 15:54:35 2014 GMT
>         Subject: C=xx, ST=xxx, O=xxx, OU=Client 2, CN=client2
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>                 Modulus (2048 bit):
>         ...
> 
> 
> 
> Swapping certificates (client2's instead of server's in this case) on the server breaks trust (as expected): 
> 
> Mar  8 18:19:45 client1 syslog-ng[2991]: Syslog connection established; fd='10', server='AF_INET(192.168.42.184:601)', local='AF_INET(0.0.0.0:0)'
> Mar  8 18:20:13 client1 syslog-ng[2991]: Certificate subject does not match configured hostname; hostname='server', certificate='client2'
> Mar  8 18:20:13 client1 syslog-ng[2991]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
> Mar  8 18:20:13 client1 syslog-ng[2991]: I/O error occurred while writing; fd='10', error='Broken pipe (32)'
> 
> Doing the same on the client, however, does not. The Syslog NG server does not seem to validate the CN.

I'm not sure I followed you correctly, but the syslog-ng server has no
information about the client name, only its IP address, which usually
doesn't match anything in the X.509 certificate. (although I know that a
subjectAltName can be specified with type iPADDr), but that's usually
missing.

You could use the trusted_dn() option to specify which client DNs a
given server accepts, but that could mean that you need separate ports
for each client.

What do you expect syslog-ng to behave in this case?

-- 
Bazsi



More information about the syslog-ng mailing list