[syslog-ng] Enable SNI (Server Name Identification) in TLS connection

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Wed Sep 18 11:35:11 UTC 2019


To the other question: It will be merged on the master branch probably in a week.

Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com>
Sent: Wednesday, September 18, 2019 1:28 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Raghu,

You are welcome! Thanks for the good idea.
If everything goes well, this feature will be released in version 3.24, in 3-4 weeks.
The packaging happens at the same time, you will find the 3.24 installer at https://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.opensuse.org%2Frepositories%2Fhome%3A%2Flaszlo_budai%3A%2Fsyslog-ng%2F&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090791204&sdata=H%2BQFpJOnTdhGOgMiXXimyDRJRsJMs3ABr3MNdUZ0h%2BY%3D&reserved=0>

Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Raghunath Adhyapak <funduraghu at gmail.com>
Sent: Wednesday, September 18, 2019 12:50 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Atilla,

I updated the code, compiled it and tested the changes.
The changes works as expected.
Thanks for the addressing the issue in such a short time.

Follow-up question:
When will this change get merged into the master branch?
Also, when will this get packaged in Debian package?

Thanks
Raghu

On Tue, Sep 17, 2019 at 4:27 PM Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com<mailto:Attila.Szakacs at oneidentity.com>> wrote:
Hi Raghu,

Currently we are not sending SNI extension in the Client Hello message.
However, I made a PR to implement this: https://github.com/balabit/syslog-ng/pull/2930<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbalabit%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090801199&sdata=qiNjqj135bbtxUw1tnMaMMhhvYT2fpdfbOWXMV64Mts%3D&reserved=0>

Can you build syslog-ng from source? It would be great, if you tested the PR.

Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Raghunath Adhyapak <funduraghu at gmail.com<mailto:funduraghu at gmail.com>>
Sent: Tuesday, September 17, 2019 9:05 AM
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Enable SNI (Server Name Identification) in TLS connection

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

I am using TLS over TCP connection to forward my syslog events to a remote server.
My remote server uses SNI (Server Name Identification) to route connections/events to one of the available backend servers.

I observe that syslog-ng doesn't send SNI during TLS handshake.

How can I enable it?

My configuration is as follows:

===================================
source s_net { syslog(transport(udp) port(1514)); };
destination d_tcp {
        tcp(
                "XX.example.net<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090801199&sdata=kKc2XxSr%2FnS%2BbFmSCXXqka9t17oLsCrDmViLjQdQfQI%3D&reserved=0>"
                port(96)
                tls(
                        peer-verify(required-untrusted)
                        ca_dir("/etc/syslog-ng/ssl")
                        key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
                        cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
                  )
        );
};
log {
        source(s_net);
        destination(d_tcp);
};
===================================

I want syslog-ng to send XX.example.net<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090811194&sdata=OMGWyTrbUz5J40CVui56wWoLSzbSQXj7EcWzQGNDKQc%3D&reserved=0> as SNI to my remote server

Please advise

Thanks
Raghu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090821195&sdata=bYI0oeeeoLjifgXSlm8%2BUfaAMEk%2FPuOqo966%2FaOCRMI%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090821195&sdata=ZJda2Cox1NHyYkmtThHPC0nu6HIdQ9LK7oJqDXHb4CM%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090831186&sdata=yVv8HfegV4%2B0g1U2XAsWXRc1CxRVEJ7chniTvJdizMU%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190918/a77f5430/attachment-0001.html>


More information about the syslog-ng mailing list