[syslog-ng] [Bug 92] New: Allow user to specify SSL/TLS cipher suite for connections
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Wed Jul 28 19:49:34 CEST 2010
https://bugzilla.balabit.com/show_bug.cgi?id=92
Summary: Allow user to specify SSL/TLS cipher suite for
connections
Product: syslog-ng
Version: 3.1.x
Platform: PC
OS/Version: Linux
Status: NEW
Severity: minor
Priority: unspecified
Component: syslog-ng
AssignedTo: bazsi at balabit.hu
ReportedBy: brett.edgar at truedigitalsecurity.com
Type of the Report: enhancement
Estimated Hours: 0.0
Created an attachment (id=22)
--> (https://bugzilla.balabit.com/attachment.cgi?id=22)
Patch to allow user to specify acceptable TLS cipher suites.
Some compliance regimens (e.g., the PCI DSS) require SSL/TLS connections to disable weak (<128 bit key length) ciphers and old protocols like SSLv2. Syslog-ng
already disables SSLv2 by default, but there is no way to disable the weak ciphers without modifying the source with every new release. I have developed a
very
small patch that adds a configuration file line with the tls { } stanza to specify which TLS ciphers can be used. Example:
source tlssrc {
tcp(ip(1.2.3.4) port(514) max-connections(32)
tls(
key_file("/etc/syslog-ng/server.key")
cert_file("/etc/syslog-ng/server.crt")
cipher_suite("ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2")
peer_verify(optional-untrusted)) );
};
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list