Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: add SNI support #2930

Merged
merged 2 commits into from Sep 26, 2019
Merged

tls: add SNI support #2930

merged 2 commits into from Sep 26, 2019

Conversation

alltilla
Copy link
Collaborator

@alltilla alltilla commented Sep 17, 2019
edited

Inspired by a syslog-ng maillist request:

Hi,
I am using TLS over TCP connection to forward my syslog events to a remote server.
My remote server uses SNI (Server Name Identification) to route connections/events to one of the available backend servers.
I observe that syslog-ng doesn't send SNI during TLS handshake.
How can I enable it?
My configuration is as follows:

source s_net { syslog(transport(udp) port(1514)); };
destination d_tcp {
        tcp(
                "XX.example.net"
                port(96)
                tls(
                        peer-verify(required-untrusted)
                        ca_dir("/etc/syslog-ng/ssl")
                        key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
                        cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
                  )
        );
};
log {
        source(s_net);
        destination(d_tcp);
};

I want syslog-ng to send XX.example.net as SNI to my remote server
Please advise
Thanks
Raghu

Example usage:

destination d_tls {
    tcp(
        "XX.example.net"
        port(96)
        tls(
            sni(yes)
            ca_dir("/etc/syslog-ng/ssl")
            key-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.key.pem")
            cert-file("/etc/syslog-ng/ssl/globaltest/XX.example.net.cert.pem")
        )
    );
};

Wireshark:
client_hello

Signed-off-by: Attila Szakacs attila.szakacs@balabit.com

@alltilla alltilla added this to the syslog-ng-3.24 milestone Sep 17, 2019
@kira-syslogng
Copy link
Contributor

Build SUCCESS

MrAnno
MrAnno reviewed Sep 17, 2019
View reviewed changes
lib/tlscontext.c Show resolved Hide resolved
lib/tlscontext.c Show resolved Hide resolved
@kira-syslogng
Copy link
Contributor

Build SUCCESS

@kira-syslogng
Copy link
Contributor

Build SUCCESS

@MrAnno
Copy link
Collaborator

MrAnno commented Sep 17, 2019

https://tools.ietf.org/html/rfc6066#page-6

MrAnno
MrAnno requested changes Sep 17, 2019
View reviewed changes
lib/tlscontext.c Show resolved Hide resolved
@kira-syslogng
Copy link
Contributor

Build SUCCESS

@alltilla alltilla force-pushed the ssl_sni branch 2 times, most recently from 6ae88a5 to 64da65a Compare September 19, 2019 08:19
@kira-syslogng
Copy link
Contributor

Build SUCCESS

MrAnno
MrAnno previously approved these changes Sep 19, 2019
View reviewed changes
Copy link
Collaborator

@MrAnno MrAnno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A last note:
sni belongs to TLSContext, but in OpenSSL, we couldn't find a setter for SSL_CTX, just for SSL, so the validation is done in tls_session_new(), which runs after init(), and in case of failure, it is repeated every time-reopen() seconds.

I think this is not a big problem, SSL_set_tlsext_host_name() fails in very rare cases, for example, when the host name is unreasonably long (or when memory can't be allocated).

@alltilla
tls: add SNI support
49ac7c4 
https://tools.ietf.org/html/rfc6066#page-6

Signed-off-by: Attila Szakacs <attila.szakacs@balabit.com>
@alltilla
tls: use driver's hostname to SNI option
b15467e 
Signed-off-by: Attila Szakacs <attila.szakacs@balabit.com>
@kira-syslogng
Copy link
Contributor

Build SUCCESS

@kira-syslogng kira-syslogng added the user-visible-feature User visible feature label Sep 25, 2019
@furiel furiel merged commit 5d65256 into syslog-ng:master Sep 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrAnno MrAnno MrAnno approved these changes

@furiel furiel furiel approved these changes

Assignees
No one assigned
Labels
user-visible-feature User visible feature
Projects
None yet
Milestone
syslog-ng-3.24
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@alltilla @kira-syslogng @MrAnno @furiel