Project

General

Profile

Actions

Bug #10393

closed

Syslog-ng TLS support is broken

Added by Daniel Fariña almost 4 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
syslog-ng
Target version:
-
Start date:
03/30/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The TLS support currently is broken because the CA certificate file name is not correct. For this reason the clients certificate can't be verified.

Currently the CA certificate is being stored as "cacert.pem" but as you can see in the syslog-ng documentantion [https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/56] it must be "$distinguished_name_hash.0".


    Copy the CA certificate (for example cacert.pem) of the Certificate Authority that issued the certificate of the syslog-ng clients to the syslog-ng server, for example into the /opt/syslog-ng/etc/syslog-ng/ca.d directory.

    Issue the following command on the certificate: openssl x509 -noout -hash -in cacert.pem The result is a hash (for example 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.

    Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.

Related PR: https://github.com/pfsense/FreeBSD-ports/pull/804

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Category set to syslog-ng
  • Status changed from New to Pull Request Review
Actions #2

Updated by Renato Botelho almost 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #3

Updated by Renato Botelho almost 2 years ago

  • Assignee deleted (Renato Botelho)
Actions #4

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Feedback to Resolved

Tested against Syslog-ng

1.15_13

version.

The CA cert name is stored in the appropriate naming format:

/var/etc/syslog-ng/ca.d: ls
95267d46.0

Ticket resolved.

Actions

Also available in: Atom PDF