On Thu, 5 Mar 2015 16:49:03 +0100 Rainer Gerhards <[email protected]> wrote:
> 2015-03-05 11:42 GMT+01:00 [email protected] > <[email protected]>: > > > Hello, > > > > Does rsyslog support FIPS mode when doing secure remote > > syslogging ? GnuTLS can be put into FIPS mode although the > > application itself should not try to use non-FIPS approved > > algorithms. Is there such an option for rsyslog ? > > > > > I don't think so, but if you provide details on how to do that, it can > probably be quickly added. If I need to research, it will take waaaay > longer. Hello, It basically consists of restricting to the ciphers available in GnuTLS while GnuTLS runs in FIPS mode. GnuTLS can output the list of available ciphers. This is the list below (also in gzip, attached, in case of formatting problems). TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 TLS_ECDHE_RSA_AES_128_GCM_SHA256 TLS_ECDHE_RSA_AES_256_GCM_SHA384 TLS_ECDHE_RSA_AES_128_CBC_SHA1 TLS_ECDHE_RSA_AES_128_CBC_SHA256 TLS_ECDHE_RSA_AES_256_CBC_SHA1 TLS_ECDHE_RSA_AES_256_CBC_SHA384 TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 TLS_RSA_AES_128_GCM_SHA256 TLS_RSA_AES_256_GCM_SHA384 TLS_RSA_AES_128_CBC_SHA1 TLS_RSA_AES_128_CBC_SHA256 TLS_RSA_AES_256_CBC_SHA1 TLS_RSA_AES_256_CBC_SHA256 TLS_RSA_3DES_EDE_CBC_SHA1 TLS_DHE_RSA_AES_128_GCM_SHA256 TLS_DHE_RSA_AES_256_GCM_SHA384 TLS_DHE_RSA_AES_128_CBC_SHA1 TLS_DHE_RSA_AES_128_CBC_SHA256 TLS_DHE_RSA_AES_256_CBC_SHA1 TLS_DHE_RSA_AES_256_CBC_SHA256 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 TLS_DHE_DSS_AES_128_GCM_SHA256 TLS_DHE_DSS_AES_256_GCM_SHA384 TLS_DHE_DSS_AES_128_CBC_SHA1 TLS_DHE_DSS_AES_128_CBC_SHA256 TLS_DHE_DSS_AES_256_CBC_SHA1 TLS_DHE_DSS_AES_256_CBC_SHA256 TLS_DHE_DSS_3DES_EDE_CBC_SHA1 Certificate types: CTYPE-X.509 Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.2, VERS-DTLS1.0 Compression: COMP-NULL Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1, CURVE-SECP224R1, CURVE-SECP192R1
gnutlslist.gz
Description: application/gzip
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
