[syslog-ng] Certificate valid, but invalid purpose

Laszlo Szemere (lszemere) Laszlo.Szemere at oneidentity.com
Tue Nov 12 11:15:55 UTC 2019 

Hello!
 The message is coming from this line: https://github.com/syslog-ng/syslog-ng/blob/master/lib/tlscontext.c#L222

 We got the error code from the library, the description from the doc: (https://www.openssl.org/docs/man1.0.2/man3/X509_STORE_CTX_get_error.html)
    X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose the supplied certificate cannot be used for the specified purpose.

 The range of accepted extensions is controlled by the openSSL configuration file. (Just for the reference: https://www.openssl.org/docs/manmaster/man5/config.html) Syslog-ng do not set any constraint on the accepted extensions. (So in theory, you should get the same message from the openSSL command line tool.)

 I examined the Fedora 31 repository, trying to find any difference from the mainstream openSSL conf, but only found this section:
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign


 Please examine your openSSL conf, and try to make tests with the openssl command line tool.
 If none of the above helps, than please provide further information about your system (exact release, installation source of syslog-ng) , and the method you used to generate the certs, so we might be able to reproduce your error.

Best regards,
Laci




________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of W3EUU <w3euu at wxwatcher.com>
Sent: Tuesday, November 12, 2019 03:56
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Certificate valid, but invalid purpose

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Running syslog-ng 3.22 OSE on Fedora 31 installation.  I am in the process of implementing TLS encryption on the remote links.  I have the links working, including the mutual authentication function.  However, I am getting the warning "Certificate valid, but purpose is invalid" on startup.  Since it is a warning, it does not seem to be affecting the functionality.   The certificates are self signed, with TLS Web Server Authentication and  TLS Web Client Authentication extensions, among others.

I am unable to find any documentation defining what additional extensions are needed to silence this warning.  Can anyone tell me what additional is required?

More information about the syslog-ng mailing list