[syslog-ng] TLS - Authentication problem

Honza Mach jan.mach at cesnet.cz
Fri Mar 18 14:01:50 CET 2011 

Hi everyone,

I am currently implementing central syslog server using syslog-ng and I
have encontered some problems when configuring mutual TLS
authentication.

On client machine I keep getting the following errors:

Mar 18 12:54:22 machine syslog-ng[5432]: Syslog connection established;
fd='9', server='AF_INET(xxx.113.161.23:514)', local='AF_INET(0.0.0.0:0)'
Mar 18 12:54:22 machine syslog-ng[5432]: Certificate validation failed;
subject='CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE', issuer='CN=AddTrust External CA Root, OU=AddTrust
External TTP Network, O=AddTrust AB, C=SE', error='self signed
certificate in certificate chain', depth='3'
Mar 18 12:54:22 machine syslog-ng[5432]: SSL error while writing stream;
tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed'
Mar 18 12:54:22 machine syslog-ng[5432]: I/O error occurred while
writing; fd='9', error='Broken pipe (32)'
Mar 18 12:54:22 machine syslog-ng[5432]: Syslog connection broken;
fd='9', server='AF_INET(xxx.113.161.23:514)', time_reopen='60'

This is the exact same problem as in the following thread:

https://lists.balabit.hu/pipermail/syslog-ng/2011-January/015613.html

I have verified the functionality without TLS settings and everything
works perfectly, so there is no problem on the way (firewall, etc.).

I studied carefully the manual and everything is as it is supposed to
be:

CLIENT MACHINE
--------------

OS - Debian 6.0 Squeeze

SYSLOG-NG VERSION:

client:# syslog-ng --version
syslog-ng 3.1.3
Installer-Version: 3.1.3
Revision: ssh
+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3
Compile-Date: Feb  1 2011 19:36:27
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-Sun-Door: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: on
Enable-Pcre: on

DESTINATION CONFIGURATION FROM SYSLOG-NG.CONF:

destination d_net { tcp("xxx.113.161.23"
                        port(514)
                        tls(
key_file("/etc/ssl/private/client.company.cz-nopass.key")

cert_file("/etc/ssl/certs/client.company.cz.pem")
                                ca_dir("/etc/ssl/trusted_ca"))
                        );
                  };

CA HASH:

client:# openssl x509 -in /etc/ssl/trusted_ca/tcs.pem -noout -hash
9df51c42

CA CERTIFICATE DIRECTORY:

client:# ll /etc/ssl/trusted_ca
total 12
lrwxrwxrwx 1 root root   27 Mar 18 12:30 9df51c42.0
-> /etc/ssl/trusted_ca/tcs.pem
-rw-r--r-- 1 root root 1655 Mar 18 12:29 tcs.pem

VALIDATE CERTIFICATE AGAINST CA:

client:# openssl verify -CAfile /etc/ssl/trusted_ca/9df51c42.0
-verbose /etc/ssl/certs/client.company.cz.pem 
/etc/ssl/certs/client.company.cz.pem: OK

SERVER MACHINE
--------------

OS - Debian 6.0 Squeeze

SYSLOG-NG VERSION:

server:# syslog-ng --version
syslog-ng 3.1.3
Installer-Version: 3.1.3
Revision: ssh
+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#def34661b08109f8148904b860457d5747c425b3
Compile-Date: Feb  1 2011 19:36:27
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-Sun-Door: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: on
Enable-Pcre: on

SOURCE CONFIGURATION FROM SYSLOG-NG.CONF:

source s_net {  tcp(    ip(0.0.0.0)
                        port(514)
                        tls(
key_file("/etc/ssl/private/server.company.cz-nopass.key")

cert_file("/etc/ssl/certs/server.company.cz.pem")
                                ca_dir("/etc/ssl/trusted_ca"))
                        );
                };


CA HASH:

server:# openssl x509 -in /etc/ssl/trusted_ca/tcs.pem -noout -hash
9df51c42

CA CERTIFICATE DIRECTORY:

server:# ll /etc/ssl/trusted_ca
total 12
lrwxrwxrwx 1 root root   27 Mar 18 12:30 9df51c42.0
-> /etc/ssl/trusted_ca/tcs.pem
-rw-r--r-- 1 root root 1655 Mar 18 12:29 tcs.pem

VALIDATE CERTIFICATE AGAINST CA:

server:# openssl verify -CAfile /etc/ssl/trusted_ca/9df51c42.0
-verbose /etc/ssl/certs/server.company.cz.pem 
/etc/ssl/certs/server.company.cz.pem: OK

Certificates for the CA are the same on both machines. I tried to put
either the whole chain up to the root certificate, or the last
certificate, but the error keeps to appear.

It the thread mentioned above the community member Baszi suggested
following:

------
It's the whole point in certificate validation to use self-signed CA
certificates. (after all, a centrally trusted CA is self-signed too).

Try validating that your directory is correct usign "openssl verify",
once that validates the cert, syslog-ng should too.

-- 
Bazsi

-------

What is meant by validate the directory, I do not understand that.

As I said, I succefully validated both client and server certificate
against the CA certificate using openssl command, but syslog-ng is still
complaining. 

Am I missing something? I will gladly provide more information, if
needed. Thank you for your time

Regards

Honza Mach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5457 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110318/244788d2/attachment.bin

More information about the syslog-ng mailing list