[syslog-ng] Certificate ip authentication

Alexandre Damas alexandre.m.damas at nos.pt
Mon Jul 27 11:34:36 UTC 2020


Hi,

As my objective on the utilization of syslog-ng is the authentication and certification of received security and auditing events, I implemented an internal CA which generates a certificate per syslog-ng client.
Once there was someone that misconfigured a client and got a certificate for a different client. The funny part of it is that no one observed any problem as the certificate, which was generated for a client having an ip (different from the one configured on the machine), was working and communications (using ALTP with TLS) went up for the exchange of messages.
Has anyone experienced this? Does someone have a clue on how to prevent certificate reutilization on the client side?
On Linux side I did not find any way of preventing the utilization of a certificate for one machine, that was issued for a different machine, having a different ip. If there is no cross checking on the server for the ip addresses on the certificate with the ip address on the received event, I don't have a way of non-repudiate a received event and the client can reuse the certificate for other machines, allowing the events to be received on the server.

Kind Regards
Alexandre Damas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200727/c94776f1/attachment.html>


More information about the syslog-ng mailing list