[syslog-ng] TLS "trusted-dn" Question

Attila Szakács attila.szakacs at axoflow.com
Thu Mar 30 10:11:58 UTC 2023 

Hi David,

The trusted-dn() option is used for an additional verification step to
reject clients/servers, which provide a cert having such a *subject* field
that does not match with any of the patterns set in trusted-dn().

Unfortunately, I think that the first sentence in the documentation is a
bit misleading:
*Description: To accept connections only from hosts using certain
certificates signed by the trusted CAs, list the distinguished names of the
accepted certificates in this parameter. For example, using trusted-dn("*,
O=Example Inc, ST=Some-State, C=*") will accept only certificates issued
for the Example Inc organization in Some-State state.*

If I understand correctly, what you would like to achieve is defined in
https://www.ietf.org/rfc/rfc5246.txt -> 7.4.4. Certificate Request:

   certificate_authorities
      A list of the distinguished names [X501] of acceptable
      certificate_authorities, represented in DER-encoded format.  These
      distinguished names may specify a desired distinguished name for a
      root CA or for a subordinate CA; thus, this message can be used to
      describe known roots as well as a desired authorization space.  If
      the certificate_authorities list is empty, then the client MAY
      send any certificate of the appropriate ClientCertificateType,
      unless there is some external arrangement to the contrary.


This is not implemented in syslog-ng, yet, but it could be done easily
with SSL_set_client_CA_list()
<https://www.openssl.org/docs/man3.0/man3/SSL_get0_CA_list.html>:*SSL_set_client_CA_list()
sets the list of CAs sent to the client when requesting a client
certificate for the chosen ssl, overriding the setting valid for ssl's
SSL_CTX object.*

Could you kindly confirm that this is what you are looking for?

Cheers,
Attila

On Wed, Mar 29, 2023 at 8:42 PM David Hauck <davidh at netacquire.com> wrote:

> Hi,
>
> I'm currently using syslog-ng OSE v3.31.2 and trying to get a TLS
> configured endpoint to use the 'trusted-dn()' TLS option. I'm having
> trouble getting syslog-ng to return these DN specifiers in the Certificate
> Request option during the TLS negotiation so that clients can properly
> condition their supplied client certificates.
>
> I invariably see the following TLS negotiations (empty DNs list) in my
> Wireshark captures (as returned by the syslog-ng server):
>
> TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
>     Content Type: Handshake (22)
>     Version: TLS 1.2 (0x0303)
>     Length: 58
>     Handshake Protocol: Certificate Request
>         Handshake Type: Certificate Request (13)
>         Length: 54
>         Certificate types count: 3
>         Certificate types (3 types)
>         Signature Hash Algorithms Length: 46
>         Signature Hash Algorithms (23 algorithms)
>         Distinguished Names Length: 0                          <-----
> always '0'
>
> In these cases my clients choose random client certificates that can't be
> refined to certificates signed by those expected (via the 'trusted-dn()'
> values) by the server and the connection is immediately closed.
>
> Here's the syslog-ng.conf entry for these sources:
>
> source s_515_tls {
>    network( transport(tls) port(515) ip-protocol(6)
>       tls(ca-dir("/etc/ssl/certs") key-file("/root/naservers.key")
> cert-file("/root/naservers.cer")
>          peer-verify(required-trusted) trusted-dn("CN=*.netacquire.com"))
> );
> };
>
> I've tried several variants of the 'trusted-dn()' values, including other
> wildcards for country, state, etc. I always see a DNs list of zero size in
> the TLS Certificate Request option returned by the server. As expected
> switching to 'peer-verify(required-untrusted)' results in successful
> negotiation (with expected server-side errors indicating problems
> associated with the client certificates) and subsequent successful
> client/server logging.
>
> I figure I must be missing something obvious ;). Any ideas?
>
> Here's my syslog-ng version info:
>
> [logdest:~]# syslog-ng --version
> syslog-ng 3 (3.31.2)
> Config version: 3.29
> Installer-Version: 3.31.2
> Revision:
> Compile-Date: Nov  9 2021 12:52:59
> Module-Directory: /usr/lib/syslog-ng
> Module-Path: /usr/lib/syslog-ng
> Include-Path: /usr/share/syslog-ng/include
> Available-Modules:
> tfgetent,mod-python,cryptofuncs,hook-commands,kvformat,cef,afuser,linux-kmsg-format,map-value-pairs,system-source,azure-auth-header,csvparser,affile,afprog,secure-logging,http,examples,timestamp,afsocket,confgen,stardate,dbparser,xml,disk-buffer,appmodel,afsnmp,add-contextual-data,afstomp,graphite,json-plugin,basicfuncs,syslogformat,pseudofile,tags-parser
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-IPv6: on
> Enable-Spoof-Source: off
> Enable-TCP-Wrapper: on
> Enable-Linux-Caps: on
> Enable-Systemd: off
>
> Thanks,
> -David
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230330/1aeea544/attachment-0001.htm>

More information about the syslog-ng mailing list