fluent-plugin-remote_syslog icon indicating copy to clipboard operation
fluent-plugin-remote_syslog copied to clipboard
verified publisher icon fluent-plugins-nursery

Support server_name extension in tls handshake in fluentd

Open mrudrego opened this issue 5 months ago • 7 comments

Hi,

We use fluent-plugin-remote-syslog to send logs from fluentd to syslog server. Fluentd-package : v 5.0.5-1 fluent-plugin-remote_syslog : v1.1.0

We have observed that server_name extension (SNI) is missing in the TLS handshake when using the plugin Fluentd config:

          <store>
            @type remote_syslog
            host abc.net
            port 6514
            protocol tcp
            tls true
            ca_file /opt/fluentd-files/cert/rsyslog.crt
          </store>
Image

While the packets using tcp dump for curl command to syslog server has the server_name extension in its handshake(attached image).

curl command from client: curl -v --cacert ca.pem https://abc.net:6514/

Server side tcp dump: tcpdump -i any host 100.103.102.3 and port 6514 -w syslog_capture.pcap

Image

We have a request to have HostSNI in the TLS handshake. Please check if this is an issue and needs some enhancement in the plugin.

Thanks in advance.

mrudrego avatar Sep 01 '25 11:09 mrudrego

When preparing a socket with OpenSSL in https://github.com/reproio/remote_syslog_sender, it need to set the hostname.


diff --git a/lib/remote_syslog_sender/tcp_sender.rb b/lib/remote_syslog_sender/tcp_sender.rb
index 9e0d4cc..ad37714 100644
--- a/lib/remote_syslog_sender/tcp_sender.rb
+++ b/lib/remote_syslog_sender/tcp_sender.rb
@@ -20,6 +20,8 @@ def initialize(remote_hostname, remote_port, options = {})
       @timeout_exception   = !!options[:timeout_exception]
       @exponential_backoff = !!options[:exponential_backoff]
 
+      @local_hostname   = options[:hostname] || options[:local_hostname] || (Socket.gethostname rescue `hostname`.chomp)
+
       @mutex = Mutex.new
       @tcp_socket = nil
 
@@ -68,6 +70,7 @@ def connect
             context.verify_mode = @verify_mode if @verify_mode
 
             @socket = OpenSSL::SSL::SSLSocket.new(@tcp_socket, context)
+            @socket.hostname = @local_hostname if @local_hostname
             @socket.connect
             if @verify_mode != OpenSSL::SSL::VERIFY_NONE
               @socket.post_connection_check(@remote_hostname)

Watson1978 avatar Sep 02 '25 02:09 Watson1978

Hi @Watson1978 , thank you very much for the quick response.

As indicated by you, the changes are in https://github.com/reproio/remote_syslog_sender, should this enhancement be created to this repo? and also the last commit on this repo seems to be 4 years back. Any idea on how do we go about this?

Thanks

mrudrego avatar Sep 02 '25 05:09 mrudrego

Is it working as you expected with the patch above? If so, we need to create a PR to https://github.com/reproio/remote_syslog_sender.

The PR may be merged If agreed...

Watson1978 avatar Sep 02 '25 06:09 Watson1978

@Watson1978 looks fine.

Thanks,

mrudrego avatar Sep 03 '25 05:09 mrudrego

Hi @Watson1978 , was the PR created to above enhancement ? Can you please share the PR.

Thanks,

mrudrego avatar Oct 24 '25 05:10 mrudrego

Sorry. I forgot this. I will try to create PR.

Watson1978 avatar Oct 24 '25 05:10 Watson1978

Hi @Watson1978 , can you please share the PR ?

Thanks,

mrudrego avatar Nov 07 '25 10:11 mrudrego