[syslog-ng] [Bug 239] New: syslog-ng refuses to allow 'Common Name' CN wildcards
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Tue Jul 9 18:46:10 CEST 2013
https://bugzilla.balabit.com/show_bug.cgi?id=239
Summary: syslog-ng refuses to allow 'Common Name' CN wildcards
Product: syslog-ng
Version: 3.3.x
Platform: PC
OS/Version: Windows
Status: NEW
Severity: normal
Priority: unspecified
Component: syslog-ng
AssignedTo: bazsi at balabit.hu
ReportedBy: shawn.starr at statpro.com
Type of the Report: bug
Estimated Hours: 0.0
Distribution package version: 3.3.4.dfsg-2ubuntu1 (3.3.4)
When attempting to use the following configuration:
source system_stuff {
system();
};
destination dest_kern { tcp("192.168.70.4" port(514) tls(
#peer-verify(optional-untrusted)
peer-verify(required-trusted)
cipher_suite("AES256-SHA")
trusted_dn("*, O=MyCompany Name, L=Toronto, ST=Ontario, C=CA")
cert_file("/etc/syslog-ng/certs/genericServer.crt")
ca_dir("/etc/syslog-ng/ca")) );
};
log { source(system_stuff); destination(dest_kern); };
Jul 9 12:20:01 testad syslog-ng[12607]: Certificate subject does not match configured hostname; hostname='192.168.70.4', certificate='*.dev.company.com'
When trying to use trusted_tn("CN=*.dev.company.com, O=MyCompany Name, L=Toronto, ST=Ontario, C=CA) it then shows:
Jul 9 11:21:20 testad syslog-ng[12473]: Certificate valid, but DN constraints were not met, rejecting;
If I read this right, CN is provided (as per default CA policy) but we should be able to match hosts to the wildcard. Similar to what rsyslog has:
http://www.rsyslog.com/doc/tls_cert_server.html
I don't know if this also happens in 3.5.x but I can test this on my Fedora systems at home
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list