[syslog-ng] Mutual TLS issues
PÁSZTOR György
pasztor at linux.gyakg.u-szeged.hu
Wed Sep 19 14:08:54 UTC 2018
Hi,
"Matthew Pounsett" <matt at conundrum.com> írta 2018-09-18 10:24-kor:
> I assumed that it would be as simple as using the example configs from the
> manual [0], and anywhere a CA cert is involved just pick the appropriate
> one: store their CA on my server, and my CA on "their" server (the test
> VM). That didn't work.
Well. You may have missed something, because this is a very simple scenario
which should work, just like you wrote.
> I've backed down to trying to get this working using all certificates
> signed by my CA, but I can't seem to make that work either. The error
> timing I'm getting doesn't quite match similar errors I can see reported
> online.
Btw.: Is it a simple certificate signed by your CA, or is there an
intermediate cert which is between your server's cert and your CA's cert?
In that case, the .crt file for server side, should be contain the
intermediate certs and the server's cert as well, in the right order.
> Server config:
> source tls_source {
> network(ip(64.191.0.17) port(6514)
> transport("tls")
> tls(
> key-file("/etc/ssl/private/64.191.0.17.key")
> cert-file("/etc/ssl/certs/64.191.0.17.crt")
> ca-dir("/etc/ssl/certs")
> )
> );
> };
This part seems okay.
>
> Client config:
> destination d_tls {
> network("64.191.0.17" port(6514)
> transport("tls")
> tls(
> ca-dir("/etc/ssl/certs")
> key-file("/etc/ssl/private/216.235.10.40.key")
> cert-file("/etc/ssl/certs/216.235.10.40.crt")
> )
> );
> };
Just as this part.
> I have the CA cert stored as /etc/ssl/certs/server_ca.pem on both systems.
This might be the problem!
SSL doesn't work like this!
In your CA dir you have to give a specific name to the files, or at least
point symlinks to them:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.17/administration-guide/ca-dir
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.17/administration-guide/55#TOPIC-989758
> Any idea what's wrong here? And, should I be able to get this to work using
> different CAs for the client and server certs?
I think the file name in your ca-dir will be the problem.
Btw.: if you want to test tls settings divided from syslog-ng, then you can
always use this two commands:
openssl s_client -connect host:port -key keyfile.key -cert certfile.crt -CApath /your/ca/dir
And to emulate the server side:
openssl s_server -accept port -key keyfile.key -cert certfile.crt -CApath /your/ca/dir
Cheers,
Gyu
More information about the syslog-ng
mailing list