Disabling SSLv3 with Syslog-NG
The syslog-ng documentation is very unclear. Where would we put the ssl-options(no-sslv2, no-sslv3, no-tlsv1) entry for disabling sslv2, sslv3 and tlsv1? The following works for enabling TLS on our host, but I can’t figure out where to insert the ssl-options. source s_net { network(ip('<our IP>') port(<our port>) transport("tls") tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted)) ); }; Joe Lupo T-Mobile USA Principal Engineer, System Design & Strategy (973) 440-8768
its part of tls options so tls( key-file("/usr/local/etc/hostcert.key")cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted)ssl-options(no-sslv3,no-tlsv1) ) ); The Jaguar 16. Aug 2016 12:13 by Joseph.Lupo@T-Mobile.com:
The syslog-ng documentation is very unclear. Where would we put the ssl-options(no-sslv2, no-sslv3, no-tlsv1) entry for disabling sslv2, sslv3 and tlsv1?
The following works for enabling TLS on our host, but I can’t figure out where to insert the ssl-options.
source s_net { network(ip('<our IP>') port(<our port>) transport("tls") tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted)) ); };
Joe Lupo T-Mobile USA Principal Engineer, System Design & Strategy (973) 440-8768
______________________________________________________________________________ Member info: > https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: > http://www.balabit.com/wiki/syslog-ng-faq
Hi, Thanks for pointing out this problem, I've added a more detailed example for ssl-options to the upcoming 3.8 guide. Regards, Robert On Tue, Aug 16, 2016 at 11:53 PM, <thejaguar@tutanota.de> wrote:
its part of tls options so
tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted) ssl-options(no-sslv3,no-tlsv1) ) ); The Jaguar
16. Aug 2016 12:13 by Joseph.Lupo@T-Mobile.com:
The syslog-ng documentation is very unclear. Where would we put the ssl-options(no-sslv2, no-sslv3, no-tlsv1) entry for disabling sslv2, sslv3 and tlsv1?
The following works for enabling TLS on our host, but I can’t figure out where to insert the ssl-options.
source s_net { network(ip('<our IP>') port(<our port>) transport("tls") tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted)) ); };
Joe Lupo T-Mobile USA Principal Engineer, System Design & Strategy (973) 440-8768
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I made the change as suggested and it is complaining: source s_net { network(ip('<our IP>') port(<our port>) transport("tls") tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted) ssl-options(no-sslv2, no-sslv3, no-tlsv1) ) ); }; I got the following error when I tried to start it: -bash-4.1$ sudo service sys-ng1 start syslog-ng service starting. Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting ')' in /opt/splunk/usr/local/etc/syslog-ng.conf at line 49, column 9: ssl-options(no-sslv2, no-sslv3, no-tlsv1) ^^^^^^^^^^^ syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng From: <syslog-ng-bounces@lists.balabit.hu> on behalf of "thejaguar@tutanota.de" <thejaguar@tutanota.de> Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Date: Tuesday, August 16, 2016 at 5:53 PM To: Joe Lupo <Joseph.Lupo@T-Mobile.com> Cc: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Disabling SSLv3 with Syslog-NG its part of tls options so tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted) ssl-options(no-sslv3,no-tlsv1) ) ); The Jaguar 16. Aug 2016 12:13 by Joseph.Lupo@T-Mobile.com<mailto:Joseph.Lupo@T-Mobile.com>: The syslog-ng documentation is very unclear. Where would we put the ssl-options(no-sslv2, no-sslv3, no-tlsv1) entry for disabling sslv2, sslv3 and tlsv1? The following works for enabling TLS on our host, but I can’t figure out where to insert the ssl-options. source s_net { network(ip('<our IP>') port(<our port>) transport("tls") tls( key-file("/usr/local/etc/hostcert.key") cert-file("/usr/local/etc/hostcert.pem") peer_verify(optional-untrusted)) ); }; ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Lupo, Joseph" <Joseph.Lupo@T-Mobile.com> írta 2016-08-17 20:13-kor:
I made the change as suggested and it is complaining: [...] I got the following error when I tried to start it:
-bash-4.1$ sudo service sys-ng1 start syslog-ng service starting. Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting ')' in /opt/splunk/usr/local/etc/syslog-ng.conf at line 49, column 9:
ssl-options(no-sslv2, no-sslv3, no-tlsv1) ^^^^^^^^^^^
What is the exact version what you use? Can you send us the output of the syslog-ng -V ? Cheers, Gyu
Here is the output. syslog-ng 3.6.4 Installer-Version: 3.6.4 Revision: Compile-Date: Jul 23 2015 12:54:32 Available-Modules: afmongodb,confgen,system-source,afamqp,afprog,afsocket,pseudofile,cryptofuncs,dbparser,afsocket-tls,graphite,syslogformat,affile,csvparser,afuser,afsocket-notls,afstomp,basicfuncs,linux-kmsg-format Enable-Debug: on Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off On 8/17/16, 4:45 PM, "syslog-ng-bounces@lists.balabit.hu on behalf of PÁSZTOR György" <syslog-ng-bounces@lists.balabit.hu on behalf of pasztor@linux.gyakg.u-szeged.hu> wrote: Hi, "Lupo, Joseph" <Joseph.Lupo@T-Mobile.com> írta 2016-08-17 20:13-kor: > I made the change as suggested and it is complaining: [...] > I got the following error when I tried to start it: > > -bash-4.1$ sudo service sys-ng1 start > syslog-ng service starting. > Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting ')' in /opt/splunk/usr/local/etc/syslog-ng.conf at line 49, column 9: > > ssl-options(no-sslv2, no-sslv3, no-tlsv1) > ^^^^^^^^^^^ What is the exact version what you use? Can you send us the output of the syslog-ng -V ? Cheers, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Lupo, Joseph" <Joseph.Lupo@T-Mobile.com> írta 2016-08-17 20:55-kor:
Here is the output.
syslog-ng 3.6.4 Installer-Version: 3.6.4 Revision: Compile-Date: Jul 23 2015 12:54:32
It seems, we found the source of the problem: https://github.com/balabit/syslog-ng/pull/720 It was backported to the 3.6 version branch in 2015 Oct. Cheers, Gyu
So, do we need to compile a new version to get that feature? Is there another way to disable SSLv3 besides doing that? On 8/17/16, 5:40 PM, "syslog-ng-bounces@lists.balabit.hu on behalf of PÁSZTOR György" <syslog-ng-bounces@lists.balabit.hu on behalf of pasztor@linux.gyakg.u-szeged.hu> wrote: Hi, "Lupo, Joseph" <Joseph.Lupo@T-Mobile.com> írta 2016-08-17 20:55-kor: > Here is the output. > > syslog-ng 3.6.4 > Installer-Version: 3.6.4 > Revision: > Compile-Date: Jul 23 2015 12:54:32 It seems, we found the source of the problem: https://github.com/balabit/syslog-ng/pull/720 It was backported to the 3.6 version branch in 2015 Oct. Cheers, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Depending on which platform you are using, there might be precompiled binaries available for a newer version. See https://syslog-ng.org/3rd-party-binaries/ On Fri, Aug 19, 2016 at 5:48 PM, Lupo, Joseph <Joseph.Lupo@t-mobile.com> wrote:
So, do we need to compile a new version to get that feature? Is there another way to disable SSLv3 besides doing that?
On 8/17/16, 5:40 PM, "syslog-ng-bounces@lists.balabit.hu on behalf of PÁSZTOR György" <syslog-ng-bounces@lists.balabit.hu on behalf of pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Lupo, Joseph" <Joseph.Lupo@T-Mobile.com> írta 2016-08-17 20:55-kor: > Here is the output. > > syslog-ng 3.6.4 > Installer-Version: 3.6.4 > Revision: > Compile-Date: Jul 23 2015 12:54:32
It seems, we found the source of the problem: https://github.com/balabit/syslog-ng/pull/720 It was backported to the 3.6 version branch in 2015 Oct.
Cheers, Gyu ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Fekete, Róbert
-
Lupo, Joseph
-
PÁSZTOR György
-
thejaguar@tutanota.de