-
Title
Common issues of TLS encrypted message transfer -
Description
Common issues of TLS encrypted message transfer -
Resolution
There are two main reason why a TLS encrypted message transfer does not work.
- Configuration issue, a TLS option is missing or wrong value is set
- Incorrect certificate
In both cases syslog-ng generates an error message. TLS error message are usually logged on both the client and server side.
See more information in "Additional information" section for:
- configuring TLS encrypted message transfer
- troubleshooting of syslog-ng or SSB
The most common issues with relevant error messages and resolutions.
Wrong path set in an option
Error message:
Error opening TLS file; filename='/opt/syslog-ng/etc/certx', error='No such file or directory (2)'
Resolution:
Correct the certificate path in cert-file() configuration option.
Incorrect file permissions
Error message:
Error setting up TLS session context; tls_error='system library:fopen:Permission denied'
Resolution:
Check the permissions of the certificate files. It has to be owned by the user who runs syslog-ng, even in case of root user.
Unknown Root CA
Error message:
client - SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca'
Resolution:
The server or the client (mutual auth) has a certificate which has been issued by an unknown CA.
CA certificate should be placed in the directory set by ca-dir() configuration option and hash link has to be created.
See attached documentation for details.Check if the issuer CA certificate of the peer's certificate is placed and hashed in the configured ca-dir().
openssl verify -CApath ca-dir() -in PEER-CERT
Missing certificate, key file or relevant configuration object.
Error message:
client - SSL error while writing stream; tls_error='SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_hello:no shared cipher'
Resolution:
Check the existence and the value of the configuration options cert-file() or key-file().
Mutual authentication, client certificate is not present
Error message:
client - SSL error while writing stream; tls_error='SSL routines:ssl3_read_bytes:sslv3 alert handshake failure'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_certificate:peer did not return a certificate'
Resolution:
Check the existence and the value of the configuration options cert-file() or key-file().
No matching cipher suite
Error message:
client - Error setting up TLS session context; tls_error='SSL routines:SSL_CTX_set_cipher_list:no cipher match'
server - SSL error while reading stream; tls_error='SSL routines:ssl23_read:ssl handshake failure'
Resolution:
The error indicates that there is no common cipher available on the client and server.
- In the case of cipher-suite() and/or ssl-options() (PE 7 only) are not configured, the OpenSSL library shipped with syslog-ng determines the enabled ciphers.
The issue can be resolved by using the same versions of syslog-ng, that should be the latest. - Otherwise, modify cipher-suite() and/or ssl-options() to set matching cipher suites between the client and server.
Information about supported ciphers.
List of available ciphers on the server:
nmap --script ssl-enum-ciphers IP -p PORT
List of available ciphers on the client:
Note: Available only on syslog-ng PE 7.0.19 and later./opt/syslog-ng/bin/openssl ciphers -v
Alternatively, a TLS source can be configured on the client with cipher-suite("ALL") option. Then, check the available ciphers the same way as the server.
Incorrect certificate
Error message:
client - Certificate subject does not match configured hostname; hostname='192.168.1.1', certificate='192.168.2.2' SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert internal error'
Resolution:
The example logs show the error when the certificate is generated for a different host, or the certificate is generated for the value of CN= field is a DNS name but the destination is configured with IP address.
There can be various issue with a certificate, which is indicated in a "Certificate validation failed" error message.
Check the certificate:
openssl x509 -text -noout -in CERT
Check the TLS connection from the client:
openssl s_client -connect IP:PORT -CApath ca-dir()
For mutual authentication add "-key KEY -cert CERT" options to use the key and certificate of the client.
Revoked CRL
Error message:
client - SSL error while writing stream; tls_error='SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_certificate:certificate verify failed'
Resolution:
The certificate used by syslog-ng is revoked by the CA. You have to generate a new certificate in your PKI.
syslog-ng Agent for Windows can't send logs to Syslog-ng Store Box using strong TLS encryption
Error message:
client - SSL error while writing stream; tls_error='SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'
server - SSL error while reading stream; tls_error='SSL routines:ssl3_get_client_hello:no shared cipher'
Resolution 1: (recommended)
Set 'Weak' cipher suite on the TLS enabled log source of the Syslog-ng Store Box at Log | Sources.
Resolution 2:
WARNING!
This solution is working but not tested, you may notice TLS related issues during the operation.
Use this resolution only if using SSLv3 on your syslog-ng Store Box is not allowed by security.
- Navigate to syslog-ng Agent installation directory (c:\Program Files\syslog-ng Agent\bin)
- Create a backup of the following dll files: libeay32.dll ssleay32.dll
- Extract the attached zip file overwriting the dll files
- Restart Syslog-ng Agent service
-
Attachments
-
Additional Information