[syslog-ng] TLS "trusted-dn" Question

David Hauck davidh at netacquire.com
Wed Mar 29 18:42:51 UTC 2023 

Hi,

I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS configured endpoint to use the 'trusted-dn()' TLS option. I'm having trouble getting syslog-ng to return these DN specifiers in the Certificate Request option during the TLS negotiation so that clients can properly condition their supplied client certificates. 

I invariably see the following TLS negotiations (empty DNs list) in my Wireshark captures (as returned by the syslog-ng server):

TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 58
    Handshake Protocol: Certificate Request
        Handshake Type: Certificate Request (13)
        Length: 54
        Certificate types count: 3
        Certificate types (3 types)
        Signature Hash Algorithms Length: 46
        Signature Hash Algorithms (23 algorithms)
        Distinguished Names Length: 0                          <----- always '0'

In these cases my clients choose random client certificates that can't be refined to certificates signed by those expected (via the 'trusted-dn()' values) by the server and the connection is immediately closed.

Here's the syslog-ng.conf entry for these sources:

source s_515_tls {
   network( transport(tls) port(515) ip-protocol(6)
      tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key") cert-file("/root/naservers.cer")
         peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com")) ); 
};

I've tried several variants of the 'trusted-dn()' values, including other wildcards for country, state, etc. I always see a DNs list of zero size in the TLS Certificate Request option returned by the server. As expected switching to 'peer-verify(required-untrusted)' results in successful negotiation (with expected server-side errors indicating problems associated with the client certificates) and subsequent successful client/server logging.

I figure I must be missing something obvious ;). Any ideas?

Here's my syslog-ng version info:

[logdest:~]# syslog-ng --version
syslog-ng 3 (3.31.2)
Config version: 3.29
Installer-Version: 3.31.2
Revision:
Compile-Date: Nov  9 2021 12:52:59
Module-Directory: /usr/lib/syslog-ng
Module-Path: /usr/lib/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Available-Modules: tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: off

Thanks,
-David

More information about the syslog-ng mailing list