[syslog-ng] CRL handling in syslog

Tue Feb 18 06:17:40 UTC 2025

Hi Peter,

Apologies, I should’ve updated earlier. I had missed something during my testing and it appeared to me that things weren’t working as expected.

I spent some more time on this, and things do work as expected in the 3.35.1 release.

Thank you,
Shankar.

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Peter Czanik (pczanik)
Sent: 18 February 2025 11:29
To: syslog-ng at lists.balabit.hu
Cc: Pritam Pal Singh <singhp at infoblox.com>; M P Singh <msingh3 at infoblox.com>; Vijaya Kumar Mukka <vmukka at infoblox.com>; Patrick McEvoy <pmcevoy at infoblox.com>; Kevin Sheehan <ksheehan at infoblox.com>; Michael Winslow <mwinslow at infoblox.com>
Subject: Re: [syslog-ng] CRL handling in syslog

Hi Shankar, Could you test this on the latest syslog-ng release? Note that I never used this syslog-ng feature. I'm asking you this, as 4. 8. 1 is where development happens, and where we can fix it, if there is a problem. Peter Peter Czanik (CzP)
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Hi Shankar,

Could you test this on the latest syslog-ng release? Note that I never used this syslog-ng feature. I'm asking you this, as 4.8.1 is where development happens, and where we can fix it, if there is a problem.

Peter

Peter Czanik (CzP) <peter.czanik at oneidentity.com<mailto:peter.czanik at oneidentity.com>>
Balabit (a OneIdentity company) / syslog-ng upstream
https://syslog-ng.com/community/<https://urldefense.com/v3/__https:/syslog-ng.com/community/__;!!JYsgTRAg6ZQ!Nmv0DhXOImbcEJRXZo7LX7qoYkIs0jJtWLSDmavO0YTRu0MX0PlFWVOAbAPLVObSzM4igJ8by9VdYP9FeoK-Tr6bhOcU$>
https://twitter.com/PCzanik<https://urldefense.com/v3/__https:/twitter.com/PCzanik__;!!JYsgTRAg6ZQ!Nmv0DhXOImbcEJRXZo7LX7qoYkIs0jJtWLSDmavO0YTRu0MX0PlFWVOAbAPLVObSzM4igJ8by9VdYP9FeoK-Tus5c2l9$>

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Shankar Pramanik <spramanik at infoblox.com<mailto:spramanik at infoblox.com>>
Sent: Friday, February 14, 2025 08:04
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Cc: Pritam Pal Singh <singhp at infoblox.com<mailto:singhp at infoblox.com>>; M P Singh <msingh3 at infoblox.com<mailto:msingh3 at infoblox.com>>; Vijaya Kumar Mukka <vmukka at infoblox.com<mailto:vmukka at infoblox.com>>; Patrick McEvoy <pmcevoy at infoblox.com<mailto:pmcevoy at infoblox.com>>; Kevin Sheehan <ksheehan at infoblox.com<mailto:ksheehan at infoblox.com>>; Michael Winslow <mwinslow at infoblox.com<mailto:mwinslow at infoblox.com>>
Subject: [syslog-ng] CRL handling in syslog

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

I’ve configured syslog-ng 3.35.1 to use CRLs but things aren’t working as expected. This is what I’ve done :

  1.  Create a self-signed CA and use it to sign a server certificate. The server certificate has a CRL distribution point in it.
  2.  Revoke the server certificate. Generate the revoked CRL and put it on the syslog client under /etc/syslog-ng/crl in PEM format. There’s a <issuer hash>.r0 link to the CRL in this directory.
  3.  Configure ca-dir and crl-dir in the client’s syslog config. Configure the client to connect to the remote syslog server.

With this setup, I’ d expect the syslog client to reject the server certificate since it’s revoked, but that doesn’t happen. The TLS handshake and subsequent communication is successful.

Is there anything that I’m missing ? Any pointers will be appreciated. I can provide additional details of my setup if needed.

Thanks!

Shankar.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20250218/4f24d4b1/attachment-0001.htm>