[syslog-ng] Mutual Authentication and Encryption With Rsyslog

Michael Starks syslog-ng-list at michaelstarks.com
Fri Mar 6 01:27:42 CET 2015 

I am trying to get mutual authentication working between a syslog-ng
server and an Rsyslog client, using startssl.com issued certificates.
The client does properly authenticate the server, but syslog-ng does not
recognize the client as trusted.

Server info:
------------

# cat /etc/redhat-release
CentOS release 6.6 (Final)

# /usr/local/syslog-ng/sbin/syslog-ng --version
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision:
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: Aug 18 2013 22:16:35
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off

source s_network_secure {
        tcp(flags(no-multi-line) ip(0.0.0.0) port(6514)
        tls( key-file("/usr/local/syslog-ng/etc/cert.d/cert.key")
        cert-file("/usr/local/syslog-ng/etc/cert.d/cert.pem")
        ca_dir("/usr/local/syslog-ng/etc/cert.d")
        peer_verify(required-untrusted)) );
};

And of course this is defined in a log statement.

Here is the directory. Note that the symbolic link of the hash has been
created.

# ll /usr/local/syslog-ng/etc/cert.d/
total 204
lrwxrwxrwx. 1 root root     13 Mar  3 13:51 876f1e28.0 -> ca-bundle.pem
-rw-r--r--. 1 root root 195587 Mar  3 13:08 ca-bundle.pem
-r--------. 1 root root   1679 Feb 28 11:21 cert.key
-r--------. 1 root root   2260 Feb 28 11:50 cert.pem
-rw-r--r--. 1 root root   2281 Mar  3 13:58 client.key

required-untrusted works, but required-trusted doesn't. So I figured
maybe it was an SSL issue with the authority, but it seems to validate OK.

# openssl verify -CAfile 876f1e28.0 -verbose client.key
client.key: OK

Client info:
------------

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

# rsyslogd -v
rsyslogd 7.4.4, compiled with:
	FEATURE_REGEXP:				Yes
	FEATURE_LARGEFILE:			No
	GSSAPI Kerberos 5 support:		Yes
	FEATURE_DEBUG (debug build, slow code):	No
	32bit Atomic operations supported:	Yes
	64bit Atomic operations supported:	Yes
	Runtime Instrumentation (slow code):	No
	uuid support:				Yes

See http://www.rsyslog.com for more information.

I suppose there's no additional client info needed since I know it is
presenting the certificate--the issue seems to be that the syslog-ng
server simply doesn't trust it.

All suggestions appreciated.

More information about the syslog-ng mailing list