NxLogs to Fluentd/SSL? - ssl

I have a bunch of linux servers configured to push logs to another fluentd server using the fluent-secure-output plugin. Now I'd like to configure our windows servers using nxlogs.
I read a bit on the om_ssl nxlogs module, but I am puzzled about the shared key. Basically, fluentd's secure-output plugin requires a shared key to be identical everywhere for authentication (this is not tied to the certificates at all). But I can't see how I could specify this key in nxlog's om_ssl configuration.
Is this even supported at all? Is it possible to use nxlogs to forward to an ssl fluentd server?

It looks like they have their own authentication protocol over TLS that uses shared_keys (i.e. passphrase) on the client side instead of using private keys. I don't know why that is needed but NXLog and most other log aggregator solutions (rsyslog, syslog-ng, logstash, etc) use plain TLS which can provide proper authentication for both the client and the server.
The protocol is described in their GitHub README and I doubt it will work with NXLog's om_ssl or anything else other than Fluentd's out_secure_forward.

The Fluentd input/output plugin to forward fluentd messages over SSL with authentication, works only between the two plugin (which is actually the same one) using authentication by shared_key check from both of client(out_secure_forward) and server(in_secure_forward).
So unfortunately you can't sent it through your nxlog only through out_secure_forward.

Related

Google cloud datafusion how to accept self-signed certificates

We are just starting to use google cloud data fusion for our ETL.
We have a use case to hit a server(self-signed) and get some info using the http-plugin in the data fusion product.
In my pipeline, i am turning off SSL verification to accept any certificates but getting an error
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <on000120.aeo.ae.com> doesn't match any of the subject alternative names: []
Help text for the field also suggests to urn it off. See image.
Could someone please help?
I followed the instructions at https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/ to generate the key and crt files, so I had a file called v3.ext (which includes subjectAltName) and used that to generate the server.crt file. When I started my server with these files, I was able to deploy and run a pipeline using HTTP source from that local HTTPS server. How did you generate your crt and key? Would you please describe the plugins you're using?
I assume that issue that you've reported is not connected with Data Fusion runtime environment, but might be supposedly related the target HTTPS web server SSL/TLS configuration. Most of the time this issue occurs when the common name or SAN(Subject Alternative Name) of your SSL/TLS Certificate does not match the domain or address that you hit in HTTP call, hence this page is not listed in SAN's list and I can suppose that you didn't add any of domain names there.
As far as I know Data Fusion http-plugin, which is based on Java HTTP Client implementation, promotes HostnameVerifier class, that is used for URL's hostname and the server's identification hostname verification during establishing handshake between parties, you may take a look at the source code and find inherited method getDefaultHostnameVerifier() as well. Therefore, this can lead to the error, during http client intentions to launch SSL/TLS connection channel.
Even though, you turned of trust keystore certificate inspection in the plugin settings, the issue will persist because hostname validation still failing.

How can I test my tls implementation written using HTTP component

For my current project i need to implement http over tls at client ,for this i need a local server able to simulate this . is there any online or offline tool. which i can use and and see the handshake in wireshark .
For watching the TLS handshake you might not get far enough with wireshark. For such kind of monitoring you would ensure the security is low enough for wireshark to be able getting the session key from watching the handshake for decoding the later parts. Thus, you need to avoid any forward secrecy.
Otherwise any (https) server that is accessible (and willing to talk) to your client will do.
In case you are in an environment that is supported (e.g. any unix/linux), you might try using openssl. It allows setting up a server that will do handshake. And it will log the handshake such that you will be able looking at what is going on. This will eliminate the need for using wireshark for debugging.
For achieving this you need a Web Server accepting connection over TLS.I have achieved this on Apache Tomcat web Server.
TLS configuration needs to be done in the server.xml file present in config directory of Tomcat webserver. Connector tag needs to be added in the server.xml file that contains information like
TLS version to be used, port, List of supported Cipher Suites, Keystore path and password, Truststore path and password.
Any regular Rest client can be used to make a call like Postman client. But to use that over TLS/SSL certificate is needed to be installed in Chrome browser.
Hope this answers your doubt.

how to find Master-key and Session-ID on windows for decryption of SSl/TLS traffic using wireshark?

I have a C++ application that has a SSL/TLS communication with its own server and i don't have any access to that server. I'm trying to find out what is it sending from my PC to the server.
I tried burp and fiddler as man-in-middle but it didn't work. The application does not support Proxy so i tried routing the traffic using proxifier to burp and fiddler but it didn't work.
So I came up with these articles https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415 and http://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id
I just need to know , How I can find Master-key and Session-ID to decrypt SSL/TLS trafic.
It depends on the TLS cipher suite being used. If the ciphersuite uses forward secrecy (DHE) you cannot decrypt the stream. If it uses RSA encryption then you need at least the private key of the server. If it also uses client authentication then you would also need the private key of the client. if it uses symmetric encryption you need the symmetric (master) key from either one of them.
But if you do have a C++ application, I would simply add logging to that application (at the lowest level).
You can use following alrternates on a x86 windows
STRACE - http://blogs.msdn.com/b/emmanubo/archive/2007/06/04/introduction-to-strace-httpreplay-support-tools.aspx
SOCKTRC if this app is on windows checkout
http://blogs.msdn.com/b/emmanubo/archive/2007/08/03/socktrc-tool.aspx
HTTPREPLAY -
generally used for browsers but here can be used to view the responses in the UI

Simple secure WCF config for single client, single server

I'm looking to configure wcf to transport data from one web server to another web server with exactly one service host and exactly one client.
Is there a simple security configuration available that does not require x509 certificates?
Additional info:
I may be looking for a simple configuration (message is okay) that could use a predetermined username / pw / enc, etc. I'd also like to avoid sending a password in cleartext.
If by "simple security configuration" you mean encrypting the transmissions between the end points, there's no simple, easy way without using x509 certificates, short of creating some kind of elaborate VPN connection point to point.
But using certificates with WCF doesn't have to be painful or expensive. Using message-level encryption (xml based) is easy enough to configure and get running, and since the communication is always between points "A" and "B", the obvious problems associate with using message encryption (distributing the certificates) isn't a problem at all.
The steps would be:
-Generate a self-signed x509 cert with public and private keys and copy to both servers
-Configure your clients and host to use message security
-install certs on both servers (plenty of documentation available, like this one)
-Configure your host and clients to find the certificates during startup
-run and test
After you've got everything running, you'd obviously replace your self-signed cert with a commercial version.
You didn't mention your platform. Are you on Windows? If so, you can use Windows credentials with message-level encryption and no need for certificates. Here is a step by step guide on how to do it.. Hope this helps!

RavenDB connections over HTTPS

We are setting up replication between RavenDB instances running in server mode. The instances are in different availability zones so we need a secure connection between the servers. According this this post SSL is not supported in server mode but
should be easy to add
Is there an extensibility point in the API where SSL support can be plugged in?
The API doesn't have any place for this currently, but I'm sure it would be a welcome contribution if you were so inclined to write this and submit a pull request. The underlying server is just a System.Net.HttpListener, which can be wired for ssl.
Your entry point would be at Raven.Database.Server.HttpServer.StartListening()
You would want the SSL certificate to be as easy to configure as the hostname or port. The cert itself should probably be pulled in from the Windows certificate store.