[syslog-ng] Enable SNI (Server Name Identification) in TLS connection

Fri Sep 27 16:52:14 UTC 2019

I built from source and tested and it worked fine
I need Deb package to ease install on my machines. I can wait for some
more time.

Raghu

On Fri, Sep 27, 2019, 12:35 Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>
wrote:

> If you would like to test before the upcoming release, you can create a
> deb package with our docker based package scripts:
> https://github.com/syslog-ng/syslog-ng/tree/master/dbld
>
> depending on your platform, it would be "dbld/rules deb" or "dbld/rules
> deb-ubuntu-xenial"
>
>
> Regards,
> Gabor
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Thursday, September 26, 2019 15:30
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Thanks. Now waiting for Debian package
>
> Raghu
>
> On Thu, Sep 26, 2019, 18:26 Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> Hi Raghu,
>
> It got merged to master! 🙂
> https://github.com/syslog-ng/syslog-ng/pull/2930
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645449880&sdata=CYEi5latvJWnPQo7xYHa3klvdXiNVyXai5PhV51yVeI%3D&reserved=0>
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Wednesday, September 18, 2019 5:35 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> That's awesome.
>
> Thanks
> Raghu
>
> On Wed, Sep 18, 2019, 17:05 Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> To the other question: It will be merged on the master branch probably in
> a week.
>
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com>
> *Sent:* Wednesday, September 18, 2019 1:28 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi Raghu,
>
> You are welcome! Thanks for the good idea.
> If everything goes well, this feature will be released in version 3.24, in
> 3-4 weeks.
> The packaging happens at the same time, you will find the 3.24 installer
> at
> https://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.opensuse.org%2Frepositories%2Fhome%3A%2Flaszlo_budai%3A%2Fsyslog-ng%2F&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645459869&sdata=krct3nD%2BVSMEQG00R0VJO2D1CeLqITAi8ZNTI7mV1a8%3D&reserved=0>
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Wednesday, September 18, 2019 12:50 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi Atilla,
>
> I updated the code, compiled it and tested the changes.
> The changes works as expected.
> Thanks for the addressing the issue in such a short time.
>
> Follow-up question:
> When will this change get merged into the master branch?
> Also, when will this get packaged in Debian package?
>
> Thanks
> Raghu
>
> On Tue, Sep 17, 2019 at 4:27 PM Attila Szakacs (aszakacs) <
> Attila.Szakacs at oneidentity.com> wrote:
>
> Hi Raghu,
>
> Currently we are not sending SNI extension in the Client Hello message.
> However, I made a PR to implement this:
> https://github.com/balabit/syslog-ng/pull/2930
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbalabit%2Fsyslog-ng%2Fpull%2F2930&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645459869&sdata=IlcWEnngIqkJFPjWvS7hrar4Tli4Kqgad5IdN7X5WVc%3D&reserved=0>
>
> Can you build syslog-ng from source? It would be great, if you tested the
> PR.
>
> Best regards,
> Attila
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Raghunath Adhyapak <funduraghu at gmail.com>
> *Sent:* Tuesday, September 17, 2019 9:05 AM
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Enable SNI (Server Name Identification) in TLS
> connection
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi,
>
> I am using TLS over TCP connection to forward my syslog events to a remote
> server.
> My remote server uses SNI (Server Name Identification) to route
> connections/events to one of the available backend servers.
>
> I observe that syslog-ng doesn't send SNI during TLS handshake.
>
> How can I enable it?
>
> My configuration is as follows:
>
> ===================================
> source s_net { syslog(transport(udp) port(1514)); };
> destination d_tcp {
>         tcp(
>                 "XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645469860&sdata=RTiMaNycpB56zTGx2gmqeFESNI2QO3JvOvSXUyC2MRk%3D&reserved=0>
> "
>                 port(96)
>                 tls(
>                         peer-verify(required-untrusted)
>                         ca_dir("/etc/syslog-ng/ssl")
>
> key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
>
> cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
>                   )
>         );
> };
> log {
>         source(s_net);
>         destination(d_tcp);
> };
> ===================================
>
> I want syslog-ng to send XX.example.net
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FXX.example.net&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645469860&sdata=RTiMaNycpB56zTGx2gmqeFESNI2QO3JvOvSXUyC2MRk%3D&reserved=0>
> as SNI to my remote server
>
> Please advise
>
> Thanks
> Raghu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645479861&sdata=gHBU5J5tU99NDHJ4PwjtxlnS0jVp2Vxh%2BgAuiTsVKaE%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645479861&sdata=NmD0lHSiQw0DbM8voUKjVOFX2fSnDwhyqaZvA7%2BBmnA%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645489858&sdata=9VaEY4yqC3Y8y0gQZbVY6M0g%2F2rhXsfXRlw2%2Fwbik2s%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645489858&sdata=EWEYbbHYLIenlmGBceeB%2B0pLauNIABFmT0dt6%2F77TUs%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645499850&sdata=mVlgDpNt3RVoHdr7ESi2Im89VnA0W7NOjkQbB11V3LM%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645499850&sdata=mNe53MBvTKfpkm1a%2FS6rEvCtYPwO3Pfjca0jLyPNeqw%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645509849&sdata=YUrhyXSF6MkgRfRsxlOWqsSBsedoNo8UPb292Y0vTps%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645509849&sdata=I2zhc1DPDcvLEShMr4v2V2MgtEZf72oDOvqx%2F607r%2BA%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cfb559bbffddf430b07d408d74285c639%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637051014645519834&sdata=eicWBDsPB4aguw98EKqegLs0ZBNcHmbifbm8lEFeKF0%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190927/04aa6f04/attachment-0001.html>