Re: [rsyslog] Setting TLS cipher suite / disabling RC4

Tue, 24 May 2016 22:22:49 -0700

By the way, and I know this probably doesn't help your audit requirement, but SSL is going to negotiate the strongest mode that the sender and receiver have in common, so it is never going to use RC4, even if you don't explicitly disable it.
When you have random folks on the Internet connecting, the negotiation of the 'strongest cipher in common' gets interesting enough that you really do want to disable it. But when you are controlling both sides, and they are even reasonably up to date and both the same implementation, the real risk is very low. 


But as I say, audits usually don't care about real risk, they have their 
checkboxes...


David Lang


On Tue, 24 May 2016, David Lang wrote:


Date: Tue, 24 May 2016 16:16:22 -0700 (PDT)
From: David Lang <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Setting TLS cipher suite / disabling RC4

On Tue, 24 May 2016, Micah Yoder wrote:


We have a PCI requirement to disable the RC4 cipher on our rsyslog TLS 
setup. I for the life of me can not find a configuration option to set the 
cipher suite.  What am I missing?



Unfortunantly, rsyslog's use of gnutls is very basic. It has very few 
options. If there is anyone who is a guru in this area, we could use a lot of 
knowlegeable help.



Rsyslog trats the tls config as a black box providing the minimum config 
items needed to make things work.



It's possible that the library honors environment veriables for some of these 
settings, if so you can work around the limits that way.



Before rsyslog starting using gnutls, the work-around was to use stunnel and 
run the logging traffic through stunnel. This still works.



Patches to improve the control over gnutls would be very much welcome, but 
the trouble if that there is already far too much confusion over getting it 
to work, so just adding all the possible config options with good 
explinations over what's what and when it should be used would only increase 
the confusion.



Someone who really knows this library could probably identify a smallish 
subset of the options that we really should support and provide some sort of 
explination as to what they mean pretty easily.




Unfortunatly this is why so many TLS related questions go unanswered for a 
while here on the list.


David Lang


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to