The syslog-ng 3.0 Administrator Guide

Document version: Fourth
Release date: December 12, 2008
Latest version available at the BalaBit Documentation Page

8.10. TLS options

The syslog-ng application is able to encrypt incoming and outgoing syslog message flows using SSL/TLS, if the TCP transport protocol (the tcp() or tcp6() sources or destination) is used.

[Note] Note

The format of the TLS connections used by syslog-ng is similar to using syslog-ng and stunnel, but the source IP information is not lost.

To encrypt connections, use the tls() option in the source and destination statements.

The tls() option can include the following settings:

Name Accepted values Default Description
ca_dir() Directory name none Name of a directory, that contains a set of trusted CA certificates in PEM format. The CA certificate files has to be named after the 32-bit hash of the subject's name. This naming can be created using the c_rehash utility in openssl.
cert_file() Filename none Name of a file, that contains an X.509 certificate in PEM format, suitable as a TLS certificate, matching the private key.
crl_dir() Directory name none Name of a directory that contains the Certificate Revocation Lists for trusted CAs. Similarly to ca_dir() files, use the 32-bit hash of the name of the issuing CAs as filenames. The extension of the files must be .r0.
key_file() Filename none Name of a file, that contains an unencrypted private key in PEM format, suitable as a TLS key.
peer_verify() optional-trusted | optional-untrusted | required-trusted | required-untrusted required-trusted Verification method of the peer, the four possible values is a combination of two properties of validation: whether the peer is required to provide a certificate (required or optional prefix), and whether the certificate provided needs to be trusted or not. For untrusted certificates only the existence of the certificate is checked, but it does not have to be valid — syslog-ng accepts the certificate even if it is expired, signed by an unknown CA, or its CN and the name of the machine mismatch.
trusted_dn() list of accepted distinguished names none To accept connections only from hosts using certain certificates signed by the trusted CAs, list the distinguished names of the accepted certificates in this parameter. E.g., using trusted_dn("*, O=Example Inc, ST=Some-State, C=*") will accept only certificates issued for the Example Inc organization in Some-State state.
trusted_keys() list of accepted SHA-1 fingerprints none To accept connections only from hosts using certain certificates having specific SHA-1 fingerprints, list the fingerprints of the accepted certificates in this parameter. E.g., trusted_keys("SHA1:00:EF:ED:A4:CE:00:D1:14:A4:AB:43:00:EF:00:91:85:FF:89:28:8F", "SHA1:0C:42:00:3E:B2:60:36:64:00:E2:83:F0:80:46:AD:00:A8:9D:00:15").

Table 8.24. List of TLS options


[Note] Note

When using the trusted_keys() and trusted_dn() parameters, note the following:

  • First, the trusted_keys() parameter is checked. If the fingerprint of the peer is listed, the certificate validation is performed.

  • If the fingerprint of the peer is not listed in the trusted_keys() parameter, the trusted_dn() parameter is checked. If the DN of the peer is not listed in the trusted_dn() parameter, the authentication of the peer fails and the connection is closed.

© 2007-2008 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev  Up  Next
8.9. Global options  Home | Contents  Appendix 1. The syslog-ng manual pages