There are two main reason why a TLS encrypted message transfer does not work.
In both cases syslog-ng generates an error message. TLS error message are usually logged on both the client and server side.
Error message:
Error opening TLS file; filename='/opt/syslog-ng/etc/certx', error='No such file or directory (2)'
Resolution:
Correct the certificate path in cert-file() configuration option.
Error message:
Error setting up TLS session context; tls_error='system library:fopen:Permission denied'
Resolution:
Check the permissions of the certificate files. It has to be owned by the user who runs syslog-ng, even in case of root user.
Error message:
client - SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca'
Resolution:
The server or the client (mutual auth) has a certificate which has been issued by an unknown CA.
CA certificate should be placed in the directory set by ca-dir() configuration option and hash link has to be created.
See attached documentation for details.
Check if the issuer CA certificate of the peer's certificate is placed and hashed in the configured ca-dir().
openssl verify -CApath ca-dir() -in PEER-CERT
Error message:
client - SSL error while writing stream; tls_error='SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_hello:no shared cipher'
Resolution:
Check the existence and the value of the configuration options cert-file() or key-file().
Error message:
client - SSL error while writing stream; tls_error='SSL routines:ssl3_read_bytes:sslv3 alert handshake failure'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_certificate:peer did not return a certificate'
Resolution:
Check the existence and the value of the configuration options cert-file() or key-file().
Error message:
client - Error setting up TLS session context; tls_error='SSL routines:SSL_CTX_set_cipher_list:no cipher match'
server - SSL error while reading stream; tls_error='SSL routines:ssl23_read:ssl handshake failure'
Resolution:
The error indicates that there is no common cipher available on the client and server.
Information about supported ciphers.
List of available ciphers on the server:
nmap --script ssl-enum-ciphers IP -p PORT
List of available ciphers on the client:
Note: Available only on syslog-ng PE 7.0.19 and later.
/opt/syslog-ng/bin/openssl ciphers -v
Alternatively, a TLS source can be configured on the client with cipher-suite("ALL") option. Then, check the available ciphers the same way as the server.
Error message:
client - Certificate subject does not match configured hostname; hostname='192.168.1.1', certificate='192.168.2.2' SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert internal error'
Resolution:
The example logs show the error when the certificate is generated for a different host, or the certificate is generated for the value of CN= field is a DNS name but the destination is configured with IP address.
There can be various issue with a certificate, which is indicated in a "Certificate validation failed" error message.
Check the certificate:
openssl x509 -text -noout -in CERT
Check the TLS connection from the client:
openssl s_client -connect IP:PORT -CApath ca-dir()
For mutual authentication add "-key KEY -cert CERT" options to use the key and certificate of the client.
Error message:
client - SSL error while writing stream; tls_error='SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_certificate:certificate verify failed'
Resolution:
The certificate used by syslog-ng is revoked by the CA. You have to generate a new certificate in your PKI.
Error message:
client - SSL error while writing stream; tls_error='SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_hello:no shared cipher'
Resolution 1: (recommended)
Set 'Weak' cipher suite on the TLS enabled log source of the Syslog-ng Store Box at Log | Sources.
Resolution 2:
WARNING!
This solution is working but not tested, you may notice TLS related issues during the operation.
Use this resolution only if using SSLv3 on your syslog-ng Store Box is not allowed by security.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center