Space banner This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Client certificates

Client certificates operate similarly to server certificates, but the flow is in the opposite direction. For more information, see the diagram in the SSL/TLS overview. A certificate authority (CA) always signs client certificates, as its only purpose is to authenticate the client to the server. The server certificate and DH key exchange already provide encryption. With client certificates enabled, a TLS listener refuses connections unless the session partner is verified as one of the clients named in the configuration file.

If you configure BMC Defender SyslogDefender to require client certificates, you can have a public internet-facing TLS listener and prevent anyone from simulating legitimate syslog traffic, such as by injecting messages purporting to come from a firewall that had actually been disabled.

To have listen_tls verification, a client certificate must have an X.509v3 Extended Key Usage that includes TLS web client authentication. The certificate might specify the name of the client in the common name (CN) field or in one of the X.509v3 Subject Alternative Name fields. For more information, see Certificate-name-wildcards.

To enable client certificates

  1. Specify certificate= and keyfile= in the SyslogSender configuration file or under the [output_tls_n] section in the SyslogDefender configuration file.
  2. Specify verify_names= and ca_file= and/or ca_path= under the [listen_tls_n] section in the SyslogDefender configuration file.

While searching for CA certificates, SyslogDefender first searches the certificates in ca_file, then those in ca_path. Certificate matching is based on the subject name, the key identifier (if present), and the serial number taken from the certificate to be verified. If the data does not match, SyslogDefender tries the next certificate. When SyslogDefender finds the first matching certificate, it performs the verification process. If verification fails, it does not search for other certificates.

If you use ca_path to point to a folder, the folder must contain the following items:

  • One or more CA certificates in PEM format, with the .pem extension
  • Symlinks to the CA certificates with names that are named by CA hash values

For more information, see https://www.openssl.org/docs/man1.0.2/apps/c_rehash.html.

Note

SyslogDefender does not support sending a list of valid client certificate CAs from the server and does not support clients that request such a list.

Related topics

Planning

SSL-TLS-overview


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*