Thanks for the info and, yes, that's a good point. These certainly are
not Internet facing and we control both ends. This is probably a good
case for an exception. Otherwise I'll look up controling gnutls via
environment variables and/or sending it through autossh tunnels.
On 05/25/2016 12:22 AM, David Lang wrote:
By the way, and I know this probably doesn't help your audit
requirement, but SSL is going to negotiate the strongest mode that the
sender and receiver have in common, so it is never going to use RC4,
even if you don't explicitly disable it.
When you have random folks on the Internet connecting, the negotiation
of the 'strongest cipher in common' gets interesting enough that you
really do want to disable it. But when you are controlling both sides,
and they are even reasonably up to date and both the same
implementation, the real risk is very low.
But as I say, audits usually don't care about real risk, they have their
checkboxes...
David Lang
On Tue, 24 May 2016, David Lang wrote:
Date: Tue, 24 May 2016 16:16:22 -0700 (PDT)
From: David Lang <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Setting TLS cipher suite / disabling RC4
On Tue, 24 May 2016, Micah Yoder wrote:
We have a PCI requirement to disable the RC4 cipher on our rsyslog
TLS setup. I for the life of me can not find a configuration option
to set the cipher suite. What am I missing?
Unfortunantly, rsyslog's use of gnutls is very basic. It has very few
options. If there is anyone who is a guru in this area, we could use a
lot of knowlegeable help.
Rsyslog trats the tls config as a black box providing the minimum
config items needed to make things work.
It's possible that the library honors environment veriables for some
of these settings, if so you can work around the limits that way.
Before rsyslog starting using gnutls, the work-around was to use
stunnel and run the logging traffic through stunnel. This still works.
Patches to improve the control over gnutls would be very much welcome,
but the trouble if that there is already far too much confusion over
getting it to work, so just adding all the possible config options
with good explinations over what's what and when it should be used
would only increase the confusion.
Someone who really knows this library could probably identify a
smallish subset of the options that we really should support and
provide some sort of explination as to what they mean pretty easily.
Unfortunatly this is why so many TLS related questions go unanswered
for a while here on the list.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
