SSL handshake fails because IP SANs are missing

[soupdiver]

I've used the command from the README for generating a SSL certificate. I use the same cert on the server and on the forwarder. When starting the forwarder I get the following error:

Failed to tls handshake with x.x.x.x x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

So I see it is a problem with the cert and not the forwarder itself but maybe you can update the README.

[alphazero-es]

@soupdiver Thanks for the heads-up. The readme needs an update, but what we really need is to add a flag to skip verification. We'll use this issue to push that through.

[soupdiver]

👍

[alphazero-es]

@soupdiver: Felix, pull branch ISSUE-221 and give it a whirl & ping me back on your end w/ ack|nack. It works for me.
/Danke

[soupdiver]

@alphazero-es ack
Thanks!

[alphazero-es]

@soupdiver great.
@jordansissel Jordan, what's your take on this? This can merge clean to master. README is updated so it is buyer beware.

[jordansissel]

(edited this comment to remove incorrect information)

Basically, in order to use tls in Go, now you MUST specify a CN in the subject field. Wildcards are supported, but '*' does not match '.'

If you're using self signed certs or have a closed ecosystem of SSL certs in your environment, it's possible that CN=* or CN=*.example.com might just be fine for you.

master branch currently sets the ServerName (which must match the cert CN field) to the address of the server being talked to, so be aware of this.

I'm open to exposing a setting you can choose for the cert CN setting (what Go calls ServerName), if that would be useful.

[PavelPolyakov]

@jordansissel
I've compiled my logstash-forwarder using go version go1.3 linux/amd64 and created my certs using your solution - however I still have this:

Have I've missed something? Could you give an example how could I create the certificate specifying the IP SAN ?

@alphazero-es
Am I understand right that your pull request hasn't yet been merged and we're not able to use the

    "ssl strict verify": false,

yet ?

ALL:
Am I understand right that if I would specify the domain name in the logstash.json, then it would work without updating the certificate?

Regards,

[alphazero-es]

@PavelPolyakov The consensus on our end is that it would violate expectation of security for users. @jordansissel has explored and found a viable and practical workaround.

In the interim, if using master, use Go1.2 or satisfy Go1.3's requirements per crypto/tls.

[PavelPolyakov]

@alphazero-es
thanks for the answer,

do you mean the workaround about creating the certificate using CN=* ?

openssl req -subj '/CN=*/' -x509 -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt

The issue is, that even if I've created the certificate using the command provided, and updated it both on the receiver host and on the logstash-forwarder host - I still see that message.

[alphazero-es]

@PavelPolyakov Yes, it requires a minor change to the publisher code as well. If you can wait until Friday, hopefully we'll push it through then. In the interim, please use Go1.2, or the 221 branch (fully noting that it is NOT acceptable to us.

[driskell]

@PavelPolyakov Using CN=* will only work if you connect via hostname. If you connect via IP then the CN is completely ignored and the certificate verification requires that an IP Subject Alternate Name is added to the certificate. If you connect via hostname the CN=* will work, or even CN=hostname.you.connect.with will work.

I'm in process of writing a script to do all this in Log Courier. Currently I have a "make selfsigned" which works - but it needs manual editing of openssl.cnf to add IP SAN. I will be writing a script to do all this soon. It at least means people who just want quick security can get up and running fast. I'll post here when I'm done but @jordansissel or @alphazero-es are probably already doing something similar.

[PavelPolyakov]

@driskell
When I connect via hostname it states the next:

where the blank space is my domain

@alphazerp-es
I've just recompiled it using go 1.2.2 but still have the same:

my logstash-config.json:

Tomorrow I would try to do that again :) Anyway, thanks for your help.