[Bug 92] New: Allow user to specify SSL/TLS cipher suite for connections
https://bugzilla.balabit.com/show_bug.cgi?id=92 Summary: Allow user to specify SSL/TLS cipher suite for connections Product: syslog-ng Version: 3.1.x Platform: PC OS/Version: Linux Status: NEW Severity: minor Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: brett.edgar@truedigitalsecurity.com Type of the Report: enhancement Estimated Hours: 0.0 Created an attachment (id=22) --> (https://bugzilla.balabit.com/attachment.cgi?id=22) Patch to allow user to specify acceptable TLS cipher suites. Some compliance regimens (e.g., the PCI DSS) require SSL/TLS connections to disable weak (<128 bit key length) ciphers and old protocols like SSLv2. Syslog-ng already disables SSLv2 by default, but there is no way to disable the weak ciphers without modifying the source with every new release. I have developed a very small patch that adds a configuration file line with the tls { } stanza to specify which TLS ciphers can be used. Example: source tlssrc { tcp(ip(1.2.3.4) port(514) max-connections(32) tls( key_file("/etc/syslog-ng/server.key") cert_file("/etc/syslog-ng/server.crt") cipher_suite("ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2") peer_verify(optional-untrusted)) ); }; -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=92 --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2011-01-10 18:11:01 --- Thanks for your contribution and sorry for not replying any sooner. Somehow I've overseen this report earlier, and now as I was rescanning the bugzilla, I've noticed this. I've ported your patch to syslog-ng 3.3, the upcoming syslog-ng version, but I'd like to include a "Signed-off-by" line similar to what the kernel folks use for proper attribution. Could you please resubmit your patch with a signed-off-by line, please? No need to port it to a later version, I did that already. I guess it shouldn't matter since I almost completely rewrote your patch to rebase it against syslog-ng 3.3, but anyway, I don't want to do it differently with the first patch I'm using the signed-off-by procedure :) Thanks. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=92 --- Comment #2 from Brett Edgar <brett.edgar@truedigitalsecurity.com> 2011-01-10 18:18:58 --- (In reply to comment #1)
Could you please resubmit your patch with a signed-off-by line, please?
I'm not familiar with the signed-off-by concept re: kernel patches. Will this work?: Signed-off-by: Brett Edgar <brett.edgar@truedigitalsecurity.com> -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=92 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|NEW |RESOLVED --- Comment #3 from Balazs Scheidler <bazsi@balabit.hu> 2011-01-11 17:11:21 --- Yes, and thank you for your quick response. I've integrated your patch into git://git.balabit.hu/bazsi/syslog-ng-3.3.git commit 9e86fcc5064734181f95d1b7c17f87afa736693c Author: Balazs Scheidler <bazsi@balabit.hu> Date: Tue Jan 11 17:09:51 2011 +0100 afsocket: implement cipher-suite() option for TLS enabled sources/destinations This patch implements a new option for the tls() block named cipher-suite(). It can be used to change the set of ciphers/hashes/keyexchange algorithms to be used with SSL. Signed-off-by: Brett Edgar <brett.edgar@truedigitalsecurity.com> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com