[syslog-ng] Enable SNI (Server Name Identification) in TLS connection

Raghunath Adhyapak funduraghu at gmail.com
Wed Sep 18 15:35:49 UTC 2019


That's awesome.

Thanks
Raghu

On Wed, Sep 18, 2019, 17:05 Attila Szakacs (aszakacs) <
Attila.Szakacs at oneidentity.com> wrote:

> To the other question: It will be merged on the master branch probably in
> a week.
>
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com>
> *Sent:* Wednesday, September 18, 2019 1:28 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi Raghu,
>
> You are welcome! Thanks for the good idea.
> If everything goes well, this feature will be released in version 3.24, in
> 3-4 weeks.
> The packaging happens at the same time, you will find the 3.24 installer
> at
> https://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.opensuse.org%2Frepositories%2Fhome%3A%2Flaszlo_budai%3A%2Fsyslog-ng%2F&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090791204&sdata=H%2BQFpJOnTdhGOgMiXXimyDRJRsJMs3ABr3MNdUZ0h%2BY%3D&reserved=0>
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Wednesday, September 18, 2019 12:50 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi Atilla,
>
> I updated the code, compiled it and tested the changes.
> The changes works as expected.
> Thanks for the addressing the issue in such a short time.
>
> Follow-up question:
> When will this change get merged into the master branch?
> Also, when will this get packaged in Debian package?
>
> Thanks
> Raghu
>
> On Tue, Sep 17, 2019 at 4:27 PM Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> Hi Raghu,
>
> Currently we are not sending SNI extension in the Client Hello message.
> However, I made a PR to implement this:
> https://github.com/balabit/syslog-ng/pull/2930
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbalabit%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090801199&sdata=qiNjqj135bbtxUw1tnMaMMhhvYT2fpdfbOWXMV64Mts%3D&reserved=0>
>
> Can you build syslog-ng from source? It would be great, if you tested the
> PR.
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Tuesday, September 17, 2019 9:05 AM
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi,
>
> I am using TLS over TCP connection to forward my syslog events to a remote
> server.
> My remote server uses SNI (Server Name Identification) to route
> connections/events to one of the available backend servers.
>
> I observe that syslog-ng doesn't send SNI during TLS handshake.
>
> How can I enable it?
>
> My configuration is as follows:
>
> ===================================
> source s_net { syslog(transport(udp) port(1514)); };
> destination d_tcp {
>         tcp(
>                 "XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090801199&sdata=kKc2XxSr%2FnS%2BbFmSCXXqka9t17oLsCrDmViLjQdQfQI%3D&reserved=0>
> "
>                 port(96)
>                 tls(
>                         peer-verify(required-untrusted)
>                         ca_dir("/etc/syslog-ng/ssl")
>
> key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
>
> cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
>                   )
>         );
> };
> log {
>         source(s_net);
>         destination(d_tcp);
> };
> ===================================
>
> I want syslog-ng to send XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090811194&sdata=OMGWyTrbUz5J40CVui56wWoLSzbSQXj7EcWzQGNDKQc%3D&reserved=0>
> as SNI to my remote server
>
> Please advise
>
> Thanks
> Raghu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090821195&sdata=bYI0oeeeoLjifgXSlm8%2BUfaAMEk%2FPuOqo966%2FaOCRMI%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090821195&sdata=ZJda2Cox1NHyYkmtThHPC0nu6HIdQ9LK7oJqDXHb4CM%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C9a139415a6fc4def5c9208d73c2b528e%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637044029090831186&sdata=yVv8HfegV4%2B0g1U2XAsWXRc1CxRVEJ7chniTvJdizMU%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190918/c36966f8/attachment-0001.html>


More information about the syslog-ng mailing list