[syslog-ng] Enable SNI (Server Name Identification) in TLS connection

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Tue Sep 17 10:57:14 UTC 2019 

Hi Raghu,

Currently we are not sending SNI extension in the Client Hello message.
However, I made a PR to implement this: https://github.com/balabit/syslog-ng/pull/2930

Can you build syslog-ng from source? It would be great, if you tested the PR.

Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Raghunath Adhyapak <funduraghu at gmail.com>
Sent: Tuesday, September 17, 2019 9:05 AM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

I am using TLS over TCP connection to forward my syslog events to a remote server.
My remote server uses SNI (Server Name Identification) to route connections/events to one of the available backend servers.

I observe that syslog-ng doesn't send SNI during TLS handshake.

How can I enable it?

My configuration is as follows:

===================================
source s_net { syslog(transport(udp) port(1514)); };
destination d_tcp {
        tcp(
                "XX.example.net<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Cf01aaae6998d42d90aa908d73b3d6e1a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637043007358265020&sdata=sTv8kJpxK%2FDNONaBFcNArgPiZ8ZbBFuyIHKwfL1Yn7w%3D&reserved=0>"
                port(96)
                tls(
                        peer-verify(required-untrusted)
                        ca_dir("/etc/syslog-ng/ssl")
                        key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
                        cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
                  )
        );
};
log {
        source(s_net);
        destination(d_tcp);
};
===================================

I want syslog-ng to send XX.example.net<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Cf01aaae6998d42d90aa908d73b3d6e1a%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637043007358275016&sdata=ugyIt85VhK6%2FEoZVAJ%2B2gLnPfr7M5n2%2FMHqR0hcuGto%3D&reserved=0> as SNI to my remote server

Please advise

Thanks
Raghu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190917/0febf4e9/attachment-0001.html>

More information about the syslog-ng mailing list