Hi, The BalaBit team has worked on this issue, but IIRC they upgraded the openssl library in the installation package. Is that an option for you? Certainly syslog-ng could disable certain protocols using options, but work has not been done. It wouldn't be too difficult though, as we already disable SSLv2 (without options). Can you perhaps make a stab at contributing this as a patch? This is the line that disables SSLv2: lib/tlscontext.c:334: SSL_CTX_set_options(self->ssl_ctx, SSL_OP_NO_SSLv2); On Wed, Oct 29, 2014 at 2:16 AM, bluebenben <bluebenben@163.com> wrote:
Hi guys
In my project I am using syslog-ng as syslog client and send log via TLS. We all know that recently there is one new security flaw which is Poodle(CVE-2014-3566 - SSLv3 Fallback Vulnerability) This requires disabling SSLv3 I have checked admin guide of syslog-ng 3.3.2 but I am able to find the option Could you please let me know the way?
Alternatively I think I may achieve the object by disable SSLv3 ciphers used by syslog-ng client original ciphers used by us is ALL:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:@STRENGTH I may change it to ALL:!SSLv3:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:@STRENGTH Bug this will make syslog-ng only supports TLS1.2 and cause negative impact to interoperability
Thanks
Jason
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi