[syslog-ng] CRL handling in syslog
Shankar Pramanik
spramanik at infoblox.com
Fri Feb 14 07:04:57 UTC 2025
I've configured syslog-ng 3.35.1 to use CRLs but things aren't working as expected. This is what I've done :
1. Create a self-signed CA and use it to sign a server certificate. The server certificate has a CRL distribution point in it.
2. Revoke the server certificate. Generate the revoked CRL and put it on the syslog client under /etc/syslog-ng/crl in PEM format. There's a <issuer hash>.r0 link to the CRL in this directory.
3. Configure ca-dir and crl-dir in the client's syslog config. Configure the client to connect to the remote syslog server.
With this setup, I' d expect the syslog client to reject the server certificate since it's revoked, but that doesn't happen. The TLS handshake and subsequent communication is successful.
Is there anything that I'm missing ? Any pointers will be appreciated. I can provide additional details of my setup if needed.
Thanks!
Shankar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20250214/fb08d76f/attachment.htm>
More information about the syslog-ng
mailing list