Missing server_name extension in tls handshake in logproc #18081
Description
Logstash information:
Please include the following information:
- Logstash version -- v8.17.2
- Logstash installation source (e.g. built from source, with a package manager: DEB/RPM, expanded from tar or zip archive, docker) -- docker
- How is Logstash being run (e.g. as a service/service manager: systemd, upstart, etc. Via command line, docker/kubernetes) -- kubernetes
JVM (e.g. java -version): --> jre21
Description of the problem including expected versus actual behavior:
Logstash is used to send logs to syslog server with TLS.
Configuration used.
output {
syslog {
facility => "%{facility}"
host => "abc.net"
port => "6514"
protocol => "ssl-tcp"
ssl_cacert => /ca.pem
ssl_cert => /server.crt.pem
ssl_key => /server.key.pem
ssl_verify => true
severity => "%{severity}"
sourcehost => "%{[host][name]}"
codec => line {
format => "%{message}"
}
}
}
- When capturing packets between logproc and rsyslog server, there is no server_name extension in TLS handshake. Please find the tcp dump image with logproc communication to syslog server.
- Capturing the packets using tcpdump for curl command to the rsyslog contains the server_name extension as shown in image below
curl command:
curl -v --cacert ca.pem --cert server.crt.pem --key server.key.pem https://abc.net:6514/
Tcpdump on server side:
tcpdump -i any host 100.103.102.3 and port 6514 -w syslog_capture.pcap
Image of tcpdump capture on server side with curl
We have a request to have HostSNI in the TLS handshake.
Please check if this is an issue and needs some enhancement in the plugin.
Thanks in advance.