SSLv3 Handshake error using om_http to POST events to AWS API Gateway

Tags:

#1 concanno

I am trying to use the om_http module to POST events to an AWS API Gateway (which won't allow SSLv3 connections). Looking at this forum and the documentation, it seems like the latest version of the community edition, nxlog-ce-2.9.1716, should support TLSv1.2, but I keep getting the following error when it attempts to connect to my API:

ERROR SSL error, SSL_ERROR_SSL: retval -1, sslv3 alert handshake failure

Below is my config for the output:

<Output out>
    Module       om_http
    URL         https://<my api endpoint>
    ContentType "application/json"
</Output>
 
I have also tried using HTTPSAllowUntrusted TRUE, which doesn't change anything. Also, I tested the API endpoint with curl and it works fine.
 
Thanks in advance for any help!
 
UPDATE: It looks like nxlog is negotiating using TLSv1.2 (discovered with wireshark). I also discovered that AWS API Gateway requires the SNI extension to TLS. This is likely the problem if nxlog-ce doesn't support SNI. Any idea if/when that will be supported in the community edition?
#2 b0ti Nxlog ✓
#1 concanno
I am trying to use the om_http module to POST events to an AWS API Gateway (which won't allow SSLv3 connections). Looking at this forum and the documentation, it seems like the latest version of the community edition, nxlog-ce-2.9.1716, should support TLSv1.2, but I keep getting the following error when it attempts to connect to my API: ERROR SSL error, SSL_ERROR_SSL: retval -1, sslv3 alert handshake failure Below is my config for the output: <Output out>     Module       om_http     URL         https://<my api endpoint>     ContentType "application/json" </Output>   I have also tried using HTTPSAllowUntrusted TRUE, which doesn't change anything. Also, I tested the API endpoint with curl and it works fine.   Thanks in advance for any help!   UPDATE: It looks like nxlog is negotiating using TLSv1.2 (discovered with wireshark). I also discovered that AWS API Gateway requires the SNI extension to TLS. This is likely the problem if nxlog-ce doesn't support SNI. Any idea if/when that will be supported in the community edition?

The EE supports SNI with both om_http and om_elasticsearch.