Hi Atilla, I updated the code, compiled it and tested the changes. The changes works as expected. Thanks for the addressing the issue in such a short time. Follow-up question: When will this change get merged into the master branch? Also, when will this get packaged in Debian package? Thanks Raghu On Tue, Sep 17, 2019 at 4:27 PM Attila Szakacs (aszakacs) < Attila.Szakacs@oneidentity.com> wrote:
Hi Raghu,
Currently we are not sending SNI extension in the Client Hello message. However, I made a PR to implement this: https://github.com/balabit/syslog-ng/pull/2930
Can you build syslog-ng from source? It would be great, if you tested the PR.
Best regards, Attila ------------------------------ *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Raghunath Adhyapak <funduraghu@gmail.com> *Sent:* Tuesday, September 17, 2019 9:05 AM *To:* syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> *Subject:* [syslog-ng] Enable SNI (Server Name Identification) in TLS connection
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
I am using TLS over TCP connection to forward my syslog events to a remote server. My remote server uses SNI (Server Name Identification) to route connections/events to one of the available backend servers.
I observe that syslog-ng doesn't send SNI during TLS handshake.
How can I enable it?
My configuration is as follows:
=================================== source s_net { syslog(transport(udp) port(1514)); }; destination d_tcp { tcp( "XX.example.net <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Cf01aaae6998d42d90aa908d73b3d6e1a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637043007358265020&sdata=sTv8kJpxK%2FDNONaBFcNArgPiZ8ZbBFuyIHKwfL1Yn7w%3D&reserved=0> " port(96) tls( peer-verify(required-untrusted) ca_dir("/etc/syslog-ng/ssl")
key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem") ) ); }; log { source(s_net); destination(d_tcp); }; ===================================
I want syslog-ng to send XX.example.net <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Cf01aaae6998d42d90aa908d73b3d6e1a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637043007358275016&sdata=ugyIt85VhK6%2FEoZVAJ%2B2gLnPfr7M5n2%2FMHqR0hcuGto%3D&reserved=0> as SNI to my remote server
Please advise
Thanks Raghu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq