SSL certificate for multiple servers. bug?


(Gerardo Arceri) #1

I'm trying to setup multiple logstash servers and came across a possible bug/feature, wanted the community input on this.
I'm setting up two logstash servers for redundancy,let's say they are using IP addresses 192.168.0.100 and 192.168.0.200), I created a SSL certificat like this:

# openssl x509 -in /etc/ssl/certs/logstash-forwarder.crt -text 
Certificate: 
    Data: 
        Version: 3 (0x2) 
        Serial Number: XXXXXXXXXXXXXX (0xXXXXXXXXXXXXXXXXXXXXXX) 
    Signature Algorithm: sha1WithRSAEncryption 
        Issuer: C=XX, L=Default City, O=Default Company Ltd 
        Validity 
            Not Before: Mar     2 12:41:19 2015 GMT 
            Not After : Feb 27 12:41:19 2025 GMT 
        Subject: C=XX, L=Default City, O=Default Company Ltd 
        Subject Public Key Info: 
            Public Key Algorithm: rsaEncryption 
                Public-Key: (2048 bit) 
                Modulus: 
                Exponent: 65537 (0x10001) 
        X509v3 extensions: 
            X509v3 Subject Key Identifier:    
                ..
            X509v3 Authority Key Identifier:  
                keyid:..
             X509v3 Basic Constraints:    
                CA:TRUE 
            X509v3 Subject Alternative Name:  
                IP Address:192.168.0.100
    Signature Algorithm: sha1WithRSAEncryption 

Both servers were configured by chance with the same certificate and quickly found out that logstash-forwarder was happily accepting the certificate no matter what server it was connecting to, (LF is setu with both LS servers IPs) instead of complaining about the wrong Subject Alternative Name, I even changed logstash-forwarder to use a dns name and it just keeps humming along.
Can someone explain if this behaviour is expected and the same certificate can be used on multiple servers, or if this is (known?) bug ?
I'm using LF 1.3.1 and LS 1.5.5.

Thanks a lot.


(system) #2