I am trying to use the TCP input plugin to receive SSL-encrypted rsyslog events from a closed appliance.
The appliance sending the events is sending SSLv2Hello
as part of the handshake. Logstash shuts this down. In the logstash.log, I see
{:timestamp=>"2016-10-03T05:29:59.418000-0400", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: SSLv2Hello is disabled>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:272:in 'accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/jruby-openssl-0.9.13-java/lib/jopenssl19/openssl/ssl-internal.rb:106:in 'accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.4/lib/logstash/inputs/tcp.rb:112:in 'run_server'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.4/lib/logstash/inputs/tcp.rb:84:in 'run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:342:in 'inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:336:in 'start_input'"], :level=>:error}
I enabled -Djavax.net.debug=all
in the Logstash JVM args. This produced the following log output:
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[Raw read]: length = 5 0000: 80 25 01 03 02 .%...
[main]<tcp, fatal error: 10: General SSLEngine problem javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
[main]<tcp, SEND TLSv1 ALERT: fatal, description = unexpected_message
[main]<tcp, WRITE: TLSv1 Alert, length = 2
[main]<tcp, fatal: engine already closed. Rethrowing javax.net.ssl. SSLHandshakeException: SSLv2Hello is disabled
According to appliance support team, a tcpdump trace I provided
... confirms that it is using TLS 1.1 with the legacy SSLv2 outer record wrapper. It is not using SSLv2 just the format of TLS 1.1 client hello that supports older legacy servers.
Are you able to configure your server to accept this handshake format?
I have tried setting -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello
in the Logstash JVM args (though I think this is to configure behaviour of clients, not servers). It did not change the result.
Is there a way that I can cause Logstash to accept the SSLv2Hello
handshake?