news: add syslog-ng#3082

Signed-off-by: László Várady <[email protected]>
MrAnno · Feb 24, 2020 · 32887a0 · 32887a0
1 parent 6e54af2
commit 32887a0
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/news/bugfix-3064.md b/news/bugfix-3064.md
diff --git a/news/bugfix-3082.md b/news/bugfix-3082.md
@@ -0,0 +1,21 @@
+`network` sources: Added workaround for a TLS 1.3 bug to prevent data loss
+
+Due to a bug in the OpenSSL TLS 1.3 implementation (openssl/openssl#10880),
+it is possible to lose messages when one-way communication protocols are used, -
+such as the syslog protocol over TLS ([RFC 5425](https://tools.ietf.org/html/rfc5425),
+[RFC 6587](https://tools.ietf.org/html/rfc6587)) - and the connection is closed
+by the client right after sending data.
+
+The bug is in the TLS 1.3 session ticket handling logic of OpenSSL.
+
+To prevent such data loss, we've disabled TLS 1.3 session tickets in all
+syslog-ng network sources. Tickets are used for session resumption, which is
+currently not supported by syslog-ng.
+
+The `loggen` testing tool also received some bugfixes (#3064), which reduce the
+likelihood of data loss if the target of loggen has not turned off session
+tickets.
+
+If you're sending logs to third-party OpenSSL-based TLS 1.3 collectors, we
+recommend turning session tickets off in those applications as well until the
+OpenSSL bug is fixed.