TLS on syslog

Hello,

Kindly review configuration parameters using below KBA:

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/LogsConfigureSecureSyslogServerWithExternalCertificate/index.html#introduction

If still an issue, you can review by capturing the packet capture on the Sophos.

Hi, 

I don't get the role of Default CA certificate (Default.pem) here.

1) Specify the attributes and details of the default CA on Sophos Firewall.
Why I need default CA. Sophos should trust CA that sign syslog-ng.crt.
2) Copy the default and external CA certificates, the external certificate, and the external key to the syslog server.
On the syslog server should by our CA in trust store and syslog-ng.crt and syslog-ng.key signed by our CA.

In short: Our CA cert should be on both trust stores and syslog-ng using certificate signed by our CA. Then Sophos should verify syslog-ng server.

In a mutual TLS authentication setup between Sophos Firewall (client) and syslog-ng (Arcsight) server, both sides need to authenticate each other using certificates signed by a trusted external CA. While both Sophos and Arcsight already have the external CA, the Sophos CA is missing from the Arcsight server's trust store, which is causing the connection issue. Unlike browser-based TLS where only the server is authenticated, mutual TLS requires both the client (Sophos) and the server (Arcsight) to trust each other's certificates.

In your TLS handshake, the connection fails after the Client Key Exchange with an Encrypted Alert, indicating that Arcsight cannot verify the certificate presented by Sophos. To resolve this, the Sophos CA must be imported into Arcsight's trust store, allowing it to verify Sophos’s client certificate and successfully establish mutual authentication.

In a mutual TLS authentication setup between Sophos Firewall (client) and syslog-ng (Arcsight) server, both sides need to authenticate each other using certificates signed by a trusted external CA. While both Sophos and Arcsight already have the external CA, the Sophos CA is missing from the Arcsight server's trust store, which is causing the connection issue. Unlike browser-based TLS where only the server is authenticated, mutual TLS requires both the client (Sophos) and the server (Arcsight) to trust each other's certificates.

In your TLS handshake, the connection fails after the Client Key Exchange with an Encrypted Alert, indicating that Arcsight cannot verify the certificate presented by Sophos. To resolve this, the Sophos CA must be imported into Arcsight's trust store, allowing it to verify Sophos’s client certificate and successfully establish mutual authentication.

Thanks for clarify. I will review arcsight trust store. I have Sophos CA in it, but maybe it is in wrong format.

Hello,

You may use converter.

www.sslshopper.com/ssl-converter.html

Indeed it is look like certificate problem. However, both CA certificates are in the trust store (pem format) and with server certificated configured in the connector properties.