[syslog-ng] Enable SNI (Server Name Identification) in TLS connection
Attila Szakacs (aszakacs)
Attila.Szakacs at oneidentity.com
Wed Sep 18 11:28:19 UTC 2019
Hi Raghu,
You are welcome! Thanks for the good idea.
If everything goes well, this feature will be released in version 3.24, in 3-4 weeks.
The packaging happens at the same time, you will find the 3.24 installer at https://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/
Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Raghunath Adhyapak <funduraghu at gmail.com>
Sent: Wednesday, September 18, 2019 12:50 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi Atilla,
I updated the code, compiled it and tested the changes.
The changes works as expected.
Thanks for the addressing the issue in such a short time.
Follow-up question:
When will this change get merged into the master branch?
Also, when will this get packaged in Debian package?
Thanks
Raghu
On Tue, Sep 17, 2019 at 4:27 PM Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com<mailto:Attila.Szakacs at oneidentity.com>> wrote:
Hi Raghu,
Currently we are not sending SNI extension in the Client Hello message.
However, I made a PR to implement this: https://github.com/balabit/syslog-ng/pull/2930<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbalabit%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C06732d99b8274ab1016308d73c2602f3%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637044006288096603&sdata=tLya1q3XRweh5j4D0FUYWc0QwJCCITXI4FqN%2BT%2FZLBM%3D&reserved=0>
Can you build syslog-ng from source? It would be great, if you tested the PR.
Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Raghunath Adhyapak <funduraghu at gmail.com<mailto:funduraghu at gmail.com>>
Sent: Tuesday, September 17, 2019 9:05 AM
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
I am using TLS over TCP connection to forward my syslog events to a remote server.
My remote server uses SNI (Server Name Identification) to route connections/events to one of the available backend servers.
I observe that syslog-ng doesn't send SNI during TLS handshake.
How can I enable it?
My configuration is as follows:
===================================
source s_net { syslog(transport(udp) port(1514)); };
destination d_tcp {
tcp(
"XX.example.net<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C06732d99b8274ab1016308d73c2602f3%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637044006288106600&sdata=0izDOg9AzCjPgAuUca1iX4Ts0ocEq6yIUhdvqhu0hz4%3D&reserved=0>"
port(96)
tls(
peer-verify(required-untrusted)
ca_dir("/etc/syslog-ng/ssl")
key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
)
);
};
log {
source(s_net);
destination(d_tcp);
};
===================================
I want syslog-ng to send XX.example.net<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C06732d99b8274ab1016308d73c2602f3%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637044006288106600&sdata=0izDOg9AzCjPgAuUca1iX4Ts0ocEq6yIUhdvqhu0hz4%3D&reserved=0> as SNI to my remote server
Please advise
Thanks
Raghu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C06732d99b8274ab1016308d73c2602f3%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637044006288116590&sdata=ZmU33AN9FNmoaqy5rN5146%2FwU%2F2O6LL%2Firy62UMN5yQ%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C06732d99b8274ab1016308d73c2602f3%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637044006288126583&sdata=77nWzeuuVjAr8ZV9p8aI4KIUgND%2FjGn%2FNHnPPhvd9kw%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C06732d99b8274ab1016308d73c2602f3%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637044006288126583&sdata=Aw1IyyX38Js51dbSnLp3hRQVADys8TtgYHUpX0lVlBI%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190918/63f118be/attachment-0001.html>
More information about the syslog-ng
mailing list