Hi Raghu,

Currently we are not sending SNI extension in the Client Hello message.
However, I made a PR to implement this: https://github.com/balabit/syslog-ng/pull/2930

Can you build syslog-ng from source? It would be great, if you tested the PR.

Best regards,
Attila
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Raghunath Adhyapak <funduraghu@gmail.com>
Sent: Tuesday, September 17, 2019 9:05 AM
To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

I am using TLS over TCP connection to forward my syslog events to a remote server.
My remote server uses SNI (Server Name Identification) to route connections/events to one of the available backend servers.

I observe that syslog-ng doesn't send SNI during TLS handshake.

How can I enable it?

My configuration is as follows:

===================================
source s_net { syslog(transport(udp) port(1514)); };
destination d_tcp {
        tcp(
                "XX.example.net"
                port(96)
                tls(
                        peer-verify(required-untrusted)
                        ca_dir("/etc/syslog-ng/ssl")
                        key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
                        cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
                  )
        );
};
log {
        source(s_net);
        destination(d_tcp);
};
===================================

I want syslog-ng to send XX.example.net as SNI to my remote server

Please advise

Thanks
Raghu