Comments (8)
Hi
Is this with Go 1.2? It will report that when the certificate name does not match the name used to connect from courier's config.
Your workaround will disable certificate checks. Ok for testing but not live.
Jason
from log-courier.
I'm using it with Go 1.3, actually (I had installed that version on my test machine), but I think that the behaviour is the same as Go 1.2 in this respect.
Many thanks for your answer. Maybe a switch on configuration file that allows to disable TLS could be useful for testing, but I can live with the actual behaviour :)
from log-courier.
Aha! Did you bypass the makefile to build it? The stable version won't build with 1.3 - makefile checks the version and rejects.
It will work in 1.2 I think. This is a breaking change in Go 1.3 to increase TLS security. Before it would bypass validation of common name if you don't specify server name in code. Whereas now it forces validation even if you don't provide name in code. I have a branch that fixes this - it provides the given "servers" item to TLS as server name so it can verify. Downside is this change means even in 1.2 it needs server names to match (where before it would not.) So its breaking change here too.
Thus, I'll be adding some useful openssl scripts to generate certificate pairs soon that correctly have the matching server names etc. At which point I'll be merging in the Go 1.3 support too so things don't get confusing.
Regards,
Jason
from log-courier.
I have contemplated having a TCP transport mode (with no TLS layer on top) - but not had a personal use for it. If it's a desirable option I will definitely look at it again.
from log-courier.
Well, I have added a "3" in the right place on Makefile :) besides that it works. (let alone issue #4 , but I think it's not related to go version). I have a use case for no TLS (internal servers on the same network sendings a bunch of no sensitive logs)... but of course I have several use cases also for TLS :)
from log-courier.
Heh OK. Hopefully I can get the Go 1.3 merged in soon with the scripts, then things should work OK.
I'll definitely consider a TCP only version. Thinking about it, for an internal network with high log volume it could be useful as will reduce resource usage even more.
from log-courier.
I just want to add for reference. That when using IP addresses in the servers configuration, validation will fail even if the certificate common name is the IP.
The validation is strict in that IP will only validate if the certificate has that IP in the SAN list. The documentation I did for generating self signed SSL refers to this. Just need to edit the openssl.cnf to add the IP then "make selfsigned" will add it. I'll eventually move this to a tool/script away from make but it was easiest way for now.
from log-courier.
@driskell, I run Logstash and Elasticsearch on AWS EC2 instances, and sometimes I do something like the following:
$ fab logstash-server ip
11.22.33.44
$ fab logstash-server kill
$ fab logstash-server new
$ fab logstash-server ip
55.66.77.88
When I bring the EC2 instance with the logstash server down and then back up, it gets assigned a different IP. I then deploy this IP address to the nodes that run logstash-forwarder
and log-courier
. In this case, it seems like I would need to make a new set of certificates every time.
It looks like my options are:
- Ignore the IP SANs stuff with TLS.
- DNS so I can always point to
logstash.mydomain.com
. - Regenerate new SSL certificates with
make selfsigned
and deploy them to the machines.
Is there a reason I don't want #1
? I know this is how logstash-forwarder
operates, as it doesn't complain with cannot validate certificate for vv.xx.yy.zz because it doesn't contain any IP SANs
and just keeps on chugging along. I have an idea of what the security risks are as well (any server that happens to contain my SSL certs can pretend to receive and send data).
from log-courier.
Related Issues (20)
- Duplicates observed when log-courier configuration file is overwritten HOT 3
- Undocumented behavior for paths matched by multiple fileglobs HOT 1
- log-courier can't seem to handle `~` for home in certain contexts. HOT 2
- error in logstash 7 HOT 4
- log-courier and logstash > 7.4.0? HOT 10
- Throughput question HOT 15
- does the includes configuration still work correctly? HOT 3
- Hold time setting not closing files properly
- syslog "progname" uses a full path rather than a basename HOT 1
- Information about payloads / different debug level ? HOT 3
- error while compiling code in the command line using MK in windows for Z wave HOT 1
- version.rb missing from the plugin package
- log-courier admin socket stuck HOT 2
- lc-admin does not default to tcp transport HOT 2
- order of files in lc-admin UI
- Logstash configuration auto reload is blocked by log-courier input HOT 2
- PPA packaging is using deprecated compatibility level 9 HOT 1
- 2.10.0 packages missing from PPA (Ubuntu)
- Receiver reload can cause panic
- TCP streaming receiver aborts if too many events received
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log-courier.