[syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Schulte, Klaus (Nokia - DE/Ulm) klaus.schulte at nokia.com
Thu Jun 25 08:26:28 CEST 2015

The client is an embedded device – rsyslog is running on it.

With a certificate created from here: http://www.selfsignedcertificate.com/ the TLS connection from device to syslog-ng works fine.

With a certificate created with INSTA-Server (not self signed) I see the mentioned problem.

Best regards

find my openPGP key here: https://keyserver.pgp.com/‎

From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of ext Scheidler, Balázs
Sent: Thursday, June 25, 2015 7:46
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

The SSL alert is sent by the client, thus the client didn't accept the certificate of the server. Can you paste that config as well?
On Jun 24, 2015 11:44 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <klaus.schulte at nokia.com<mailto:klaus.schulte at nokia.com>> wrote:
Dear all,

I've this source settings for TLS:

source s_tcp_tls {
   network(  transport("tls")
             ip( port(6514)

But when a client connects via TCP/TLS to the syslog-ng service..

In syslog-ng these messages are showing up:

syslog-ng starting up; version='3.5.6'
Syslog connection accepted; fd='12', client='AF_INET(', local='AF_INET(<>)'
SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
I/O error occurred while reading; fd='12', error='Connection reset by peer (104)'
Syslog connection closed; fd='12', client='AF_INET(', local='AF_INET(<>)'
Closing log transport fd; fd='12'

I don't know why syslog-ng is proving the CA?
As far as I know the configuration is a non-mutual authentication - so the CA shouldn't play a role in this - is this correct?

The client sends messages in RFC5424 format.

Any help is appriciated - I've no clue what's going wrong.

Best regards

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150625/c1aa04fc/attachment.htm 

More information about the syslog-ng mailing list