Encrypting traffic to a remote syslog-ng server including SSL peer authentication
1. Install stunnel and syslog-ng on all machines.
2. Create certificates for all machines. On RedHat 9 and similar machines, you can do the following as root:
# cd /etc/pki/tls/certs # make syslog-ng-server.pem # make syslog-ng-client.pem
3. Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with one important alteration. The clients only need the certificate section of syslog-ng-server.pem. In other words, remove the private key section from syslog-ng-server.pem on all clients. Place every client's syslog-ng-client.pem in /etc/stunnel. For server, create a special syslog-ng-client.pem containing the certificate sections for all clients and place in /etc/stunnel. In other words, remove the private key sections from all syslog-ng-client.pem files and concatenate what is left to create server's special syslog-ng-client.pem.
Ok my question is from above it says to create one syslog-ng-client.pem file per client. 1)Do the names for each of these need to remain syslog-ng-client.pem or can they have names that reflect the host that they are on? 2) if they all need to keep that name do just move the client file to one client/host and then delete it from the server then move on to create the next?
On Tue, 14 Feb 2006, Anthony Cicalla wrote:
Ok my question is from above it says to create one syslog-ng-client.pem file per client. 1)Do the names for each of these need to remain syslog-ng-client.pem or can they have names that reflect the host that they are on? 2) if they all need to keep that name do just move the client file to one client/host and then delete it from the server then move on to create the next?
You might want to check the configuration file manpage: http://www.stunnel.org/faq/stunnel.html#configuration_file
There you will find:
cert = pemfile certificate chain PEM file name
A PEM is always needed in server mode. Specifying this flag in client mode will use this certificate chain as a client side certificate chain. Using client side certs is optional. The certificates must be in PEM format and must be sorted starting with the certificate to the highest level (root CA).
and as things go with files you can give them any name you so desire as long as the filename and the name in the configuration directive that needs it are equal.
If your question is about the naming on the server-side and you want to use the CApath directive for verification of client certificates, naming is not relevant but this is:
" This is the directory in which stunnel will look for certificates when using the verify. Note that the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the cert. "
Hope this helps.
Jan
-
Anthony Cicalla -
Jan Meijer