Can Logstash TCP input be made to accept SSLv2Hello?

echalmer · October 6, 2016, 11:26am

I am trying to use the TCP input plugin to receive SSL-encrypted rsyslog events from a closed appliance.

The appliance sending the events is sending SSLv2Hello as part of the handshake. Logstash shuts this down. In the logstash.log, I see

{:timestamp=>"2016-10-03T05:29:59.418000-0400", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: SSLv2Hello is disabled>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:272:in 'accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/jruby-openssl-0.9.13-java/lib/jopenssl19/openssl/ssl-internal.rb:106:in 'accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.4/lib/logstash/inputs/tcp.rb:112:in 'run_server'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.4/lib/logstash/inputs/tcp.rb:84:in 'run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:342:in 'inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:336:in 'start_input'"], :level=>:error}

I enabled -Djavax.net.debug=all in the Logstash JVM args. This produced the following log output:

Using SSLEngineImpl. 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
[Raw read]: length = 5 0000: 80 25 01 03 02 .%... 
[main]<tcp, fatal error: 10: General SSLEngine problem javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled 
[main]<tcp, SEND TLSv1 ALERT: fatal, description = unexpected_message 
[main]<tcp, WRITE: TLSv1 Alert, length = 2 
[main]<tcp, fatal: engine already closed. Rethrowing javax.net.ssl. SSLHandshakeException: SSLv2Hello is disabled

According to appliance support team, a tcpdump trace I provided

... confirms that it is using TLS 1.1 with the legacy SSLv2 outer record wrapper. It is not using SSLv2 just the format of TLS 1.1 client hello that supports older legacy servers.

Are you able to configure your server to accept this handshake format?

I have tried setting -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello in the Logstash JVM args (though I think this is to configure behaviour of clients, not servers). It did not change the result.

Is there a way that I can cause Logstash to accept the SSLv2Hello handshake?