[syslog-ng] Mutual Authentication and Encryption With Rsyslog
Laci Mészáros
lacienator at gmail.com
Fri Mar 6 06:50:10 CET 2015
Hello,
Have you tried syslog-ng start in forward-mode and verbose (-Fdve)? In that
case after the first message you can check the SSL error message during the
authentication. It could show you the problem with the certificates.
Br,
Laci
On 6 March 2015 at 01:27, Michael Starks <syslog-ng-list at michaelstarks.com>
wrote:
> I am trying to get mutual authentication working between a syslog-ng
> server and an Rsyslog client, using startssl.com issued certificates.
> The client does properly authenticate the server, but syslog-ng does not
> recognize the client as trusted.
>
> Server info:
> ------------
>
> # cat /etc/redhat-release
> CentOS release 6.6 (Final)
>
> # /usr/local/syslog-ng/sbin/syslog-ng --version
> syslog-ng 3.2.4
> Installer-Version: 3.2.4
> Revision:
> ssh+git://bazsi@git.balabit
> //var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
> Compile-Date: Aug 18 2013 22:16:35
> Enable-Threads: off
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-IPv6: on
> Enable-Spoof-Source: off
> Enable-TCP-Wrapper: off
> Enable-SSL: on
> Enable-SQL: off
> Enable-Linux-Caps: on
> Enable-Pcre: on
> Enable-Pacct: off
>
> source s_network_secure {
> tcp(flags(no-multi-line) ip(0.0.0.0) port(6514)
> tls( key-file("/usr/local/syslog-ng/etc/cert.d/cert.key")
> cert-file("/usr/local/syslog-ng/etc/cert.d/cert.pem")
> ca_dir("/usr/local/syslog-ng/etc/cert.d")
> peer_verify(required-untrusted)) );
> };
>
> And of course this is defined in a log statement.
>
> Here is the directory. Note that the symbolic link of the hash has been
> created.
>
> # ll /usr/local/syslog-ng/etc/cert.d/
> total 204
> lrwxrwxrwx. 1 root root 13 Mar 3 13:51 876f1e28.0 -> ca-bundle.pem
> -rw-r--r--. 1 root root 195587 Mar 3 13:08 ca-bundle.pem
> -r--------. 1 root root 1679 Feb 28 11:21 cert.key
> -r--------. 1 root root 2260 Feb 28 11:50 cert.pem
> -rw-r--r--. 1 root root 2281 Mar 3 13:58 client.key
>
> required-untrusted works, but required-trusted doesn't. So I figured
> maybe it was an SSL issue with the authority, but it seems to validate OK.
>
> # openssl verify -CAfile 876f1e28.0 -verbose client.key
> client.key: OK
>
> Client info:
> ------------
>
> # cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=14.04
> DISTRIB_CODENAME=trusty
> DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
>
> # rsyslogd -v
> rsyslogd 7.4.4, compiled with:
> FEATURE_REGEXP: Yes
> FEATURE_LARGEFILE: No
> GSSAPI Kerberos 5 support: Yes
> FEATURE_DEBUG (debug build, slow code): No
> 32bit Atomic operations supported: Yes
> 64bit Atomic operations supported: Yes
> Runtime Instrumentation (slow code): No
> uuid support: Yes
>
> See http://www.rsyslog.com for more information.
>
> I suppose there's no additional client info needed since I know it is
> presenting the certificate--the issue seems to be that the syslog-ng
> server simply doesn't trust it.
>
> All suggestions appreciated.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150306/8988bda5/attachment.htm
More information about the syslog-ng
mailing list