https://bugzilla.balabit.com/show_bug.cgi?id=92 Summary: Allow user to specify SSL/TLS cipher suite for connections Product: syslog-ng Version: 3.1.x Platform: PC OS/Version: Linux Status: NEW Severity: minor Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: brett.edgar@truedigitalsecurity.com Type of the Report: enhancement Estimated Hours: 0.0 Created an attachment (id=22) --> (https://bugzilla.balabit.com/attachment.cgi?id=22) Patch to allow user to specify acceptable TLS cipher suites. Some compliance regimens (e.g., the PCI DSS) require SSL/TLS connections to disable weak (<128 bit key length) ciphers and old protocols like SSLv2. Syslog-ng already disables SSLv2 by default, but there is no way to disable the weak ciphers without modifying the source with every new release. I have developed a very small patch that adds a configuration file line with the tls { } stanza to specify which TLS ciphers can be used. Example: source tlssrc { tcp(ip(1.2.3.4) port(514) max-connections(32) tls( key_file("/etc/syslog-ng/server.key") cert_file("/etc/syslog-ng/server.crt") cipher_suite("ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2") peer_verify(optional-untrusted)) ); }; -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.