[syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Scheidler, Balázs balazs.scheidler at balabit.com
Thu Jun 25 10:38:12 CEST 2015


Well, your device is not trusting syslog-ng then. You have to configure it
there or you a certificate authority that it trusts to issue the keys.
On Jun 25, 2015 8:26 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <
klaus.schulte at nokia.com> wrote:

>  The client is an embedded device – rsyslog is running on it.
>
>
>
> With a certificate created from here:
> http://www.selfsignedcertificate.com/ the TLS connection from device to
> syslog-ng works fine.
>
>
>
> With a certificate created with INSTA-Server (not self signed) I see the
> mentioned problem.
>
>
>
> Best regards
>
>   Klaus
>
>
>
> ____________________________________________
>
> find my openPGP key here: *https://keyserver <https://keyserver>.pgp.com/*
>>
>
>
> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *ext Scheidler, Balázs
> *Sent:* Thursday, June 25, 2015 7:46
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] CentOS7 syslog-ng 3.5.6: TLS: SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
>
>
> The SSL alert is sent by the client, thus the client didn't accept the
> certificate of the server. Can you paste that config as well?
>
> On Jun 24, 2015 11:44 AM, "Schulte, Klaus (Nokia - DE/Ulm)" <
> klaus.schulte at nokia.com> wrote:
>
> Dear all,
>
> I've this source settings for TLS:
>
> source s_tcp_tls {
>    network(  transport("tls")
>              ip(10.46.130.65) port(6514)
>              tls(
>                    peer-verify("optional-untrusted")
>                    key-file("/etc/syslog-ng/key.d/syslog-ng.key")
>                    cert-file("/etc/syslog-ng/cert.d/syslog-ng.cert")
>              )
>    );
> };
>
> But when a client connects via TCP/TLS to the syslog-ng service..
>
> In syslog-ng these messages are showing up:
>
> syslog-ng starting up; version='3.5.6'
> Syslog connection accepted; fd='12', client='AF_INET(10.46.160.78:48075)',
> local='AF_INET(10.46.130.65:6514)'
> SSL error while reading stream; tls_error='SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
> I/O error occurred while reading; fd='12', error='Connection reset by peer
> (104)'
> Syslog connection closed; fd='12', client='AF_INET(10.46.160.78:48075)',
> local='AF_INET(10.46.130.65:6514)'
> Closing log transport fd; fd='12'
>
> I don't know why syslog-ng is proving the CA?
> As far as I know the configuration is a non-mutual authentication - so the
> CA shouldn't play a role in this - is this correct?
>
> The client sends messages in RFC5424 format.
>
> Any help is appriciated - I've no clue what's going wrong.
>
> Best regards
>   Klaus
> ____________________________________________
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150625/08b078a2/attachment.htm 


More information about the syslog-ng mailing list