[syslog-ng] How can I disable SSLv3 in syslog-ng 3.3.2 client config to sovle CVE-2014-3566(SSLv3 Fallback Vulnerabilit)?
Balazs Scheidler
bazsi77 at gmail.com
Wed Nov 5 10:12:33 CET 2014
Hi,
The BalaBit team has worked on this issue, but IIRC they upgraded the
openssl library in the installation package.
Is that an option for you? Certainly syslog-ng could disable certain
protocols using options, but work has not been done.
It wouldn't be too difficult though, as we already disable SSLv2 (without
options). Can you perhaps make a stab at contributing this as a patch?
This is the line that disables SSLv2:
lib/tlscontext.c:334: SSL_CTX_set_options(self->ssl_ctx,
SSL_OP_NO_SSLv2);
On Wed, Oct 29, 2014 at 2:16 AM, bluebenben <bluebenben at 163.com> wrote:
> Hi guys
>
> In my project I am using syslog-ng as syslog client and send log via TLS.
> We all know that recently there is one new security flaw which is
> Poodle(CVE-2014-3566 - SSLv3 Fallback Vulnerability)
> This requires disabling SSLv3
> I have checked admin guide of syslog-ng 3.3.2 but I am able to find the
> option
> Could you please let me know the way?
>
> Alternatively I think I may achieve the object by disable SSLv3 ciphers
> used by syslog-ng client
> original ciphers used by us is
> ALL:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:@STRENGTH
> I may change it to
> ALL:!SSLv3:!SSLv2:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:@STRENGTH
> Bug this will make syslog-ng only supports TLS1.2 and cause negative
> impact to interoperability
>
> Thanks
>
> Jason
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
--
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20141105/a122aede/attachment.htm
More information about the syslog-ng
mailing list