<div dir="ltr"><div><div><div><div>Hi,<br><br></div>The BalaBit team has worked on this issue, but IIRC they upgraded the openssl library in the installation package.<br><br></div>Is that an option for you? Certainly syslog-ng could disable certain protocols using options, but work has not been done.<br><br></div>It wouldn't be too difficult though, as we already disable SSLv2 (without options). Can you perhaps make a stab at contributing this as a patch?<br><br></div>This is the line that disables SSLv2:<br><br>lib/tlscontext.c:334: SSL_CTX_set_options(self->ssl_ctx, SSL_OP_NO_SSLv2);<br><br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 29, 2014 at 2:16 AM, bluebenben <span dir="ltr"><<a href="mailto:bluebenben@163.com" target="_blank">bluebenben@163.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Hi guys<br><br>In my project I am using syslog-ng as syslog client and send log via TLS.<br>We all know that recently there is one new security flaw which is Poodle(CVE-2014-3566 - SSLv3 Fallback Vulnerability)<br>This requires disabling SSLv3<br>I have checked admin guide of syslog-ng 3.3.2 but I am able to find the option<br>Could you please let me know the way?<br><br>Alternatively I think I may achieve the object by disable SSLv3 ciphers used by syslog-ng client<br>original ciphers used by us is<br>ALL:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:@STRENGTH<br>I may change it to<br>ALL:!SSLv3:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:@STRENGTH<br>Bug this will make syslog-ng only supports TLS1.2 and cause negative impact to interoperability<br><br>Thanks<br><br>Jason<br></div></div></div><br><br><span title="neteasefooter"><span></span></span><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Bazsi</div>
</div>