[syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Schulte, Klaus (Nokia - DE/Ulm)
klaus.schulte at nokia.com
Thu Jun 25 08:26:28 CEST 2015
The client is an embedded device – rsyslog is running on it.
With a certificate created from here: http://www.selfsignedcertificate.com/ the TLS connection from device to syslog-ng works fine.
With a certificate created with INSTA-Server (not self signed) I see the mentioned problem.
Best regards
Klaus
____________________________________________
find my openPGP key here: https://keyserver.pgp.com/
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of ext Scheidler, Balázs
Sent: Thursday, June 25, 2015 7:46
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
The SSL alert is sent by the client, thus the client didn't accept the certificate of the server. Can you paste that config as well?
On Jun 24, 2015 11:44 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <klaus.schulte at nokia.com<mailto:klaus.schulte at nokia.com>> wrote:
Dear all,
I've this source settings for TLS:
source s_tcp_tls {
network( transport("tls")
ip(10.46.130.65) port(6514)
tls(
peer-verify("optional-untrusted")
key-file("/etc/syslog-ng/key.d/syslog-ng.key")
cert-file("/etc/syslog-ng/cert.d/syslog-ng.cert")
)
);
};
But when a client connects via TCP/TLS to the syslog-ng service..
In syslog-ng these messages are showing up:
syslog-ng starting up; version='3.5.6'
Syslog connection accepted; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(10.46.130.65:6514<http://10.46.130.65:6514>)'
SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
I/O error occurred while reading; fd='12', error='Connection reset by peer (104)'
Syslog connection closed; fd='12', client='AF_INET(10.46.160.78:48075)', local='AF_INET(10.46.130.65:6514<http://10.46.130.65:6514>)'
Closing log transport fd; fd='12'
I don't know why syslog-ng is proving the CA?
As far as I know the configuration is a non-mutual authentication - so the CA shouldn't play a role in this - is this correct?
The client sends messages in RFC5424 format.
Any help is appriciated - I've no clue what's going wrong.
Best regards
Klaus
____________________________________________
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150625/c1aa04fc/attachment.htm
More information about the syslog-ng
mailing list