[syslog-ng] [Bug 239] New: syslog-ng refuses to allow 'Common Name' CN wildcards

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Tue Jul 9 18:46:10 CEST 2013


           Summary: syslog-ng refuses to allow 'Common Name' CN wildcards
           Product: syslog-ng
           Version: 3.3.x
          Platform: PC
        OS/Version: Windows
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: shawn.starr at statpro.com
Type of the Report: bug
   Estimated Hours: 0.0

Distribution package version: 3.3.4.dfsg-2ubuntu1 (3.3.4)

When attempting to use the following configuration:

source system_stuff {

destination dest_kern { tcp("" port(514) tls(
trusted_dn("*, O=MyCompany Name, L=Toronto, ST=Ontario, C=CA")
ca_dir("/etc/syslog-ng/ca")) );

log { source(system_stuff); destination(dest_kern); };

Jul  9 12:20:01 testad syslog-ng[12607]: Certificate subject does not match configured hostname; hostname='', certificate='*.dev.company.com'

When trying to use trusted_tn("CN=*.dev.company.com, O=MyCompany Name, L=Toronto, ST=Ontario, C=CA) it then shows:

Jul  9 11:21:20 testad syslog-ng[12473]: Certificate valid, but DN constraints were not met, rejecting;

If I read this right, CN is provided (as per default CA policy) but we should be able to match hosts to the wildcard. Similar to what rsyslog has:

I don't know if this also happens in 3.5.x but I can test this on my Fedora systems at home

Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list