Without having tried this myself, rsyslog exposes `tls.prioritystring` option for `relp` which would be used to configure, among other things, ciphers that can be used.
Doing a quick google search for `gnutls priority string disable rc4` brings up this page http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast-with-gnutls/ If all goes well you should be running a decent cipher list as a result. I will try to find some time later today to get a proper tls setup going and provide more information. On Wed, May 25, 2016 at 6:43 AM, Micah Yoder <[email protected]> wrote: > Thanks for the info and, yes, that's a good point. These certainly are not > Internet facing and we control both ends. This is probably a good case for > an exception. Otherwise I'll look up controling gnutls via environment > variables and/or sending it through autossh tunnels. > > > On 05/25/2016 12:22 AM, David Lang wrote: > >> By the way, and I know this probably doesn't help your audit >> requirement, but SSL is going to negotiate the strongest mode that the >> sender and receiver have in common, so it is never going to use RC4, >> even if you don't explicitly disable it. >> >> When you have random folks on the Internet connecting, the negotiation >> of the 'strongest cipher in common' gets interesting enough that you >> really do want to disable it. But when you are controlling both sides, >> and they are even reasonably up to date and both the same >> implementation, the real risk is very low. >> >> But as I say, audits usually don't care about real risk, they have their >> checkboxes... >> >> David Lang >> >> >> On Tue, 24 May 2016, David Lang wrote: >> >> Date: Tue, 24 May 2016 16:16:22 -0700 (PDT) >>> From: David Lang <[email protected]> >>> To: rsyslog-users <[email protected]> >>> Subject: Re: [rsyslog] Setting TLS cipher suite / disabling RC4 >>> >>> On Tue, 24 May 2016, Micah Yoder wrote: >>> >>> We have a PCI requirement to disable the RC4 cipher on our rsyslog >>>> TLS setup. I for the life of me can not find a configuration option >>>> to set the cipher suite. What am I missing? >>>> >>> >>> Unfortunantly, rsyslog's use of gnutls is very basic. It has very few >>> options. If there is anyone who is a guru in this area, we could use a >>> lot of knowlegeable help. >>> >>> Rsyslog trats the tls config as a black box providing the minimum >>> config items needed to make things work. >>> >>> It's possible that the library honors environment veriables for some >>> of these settings, if so you can work around the limits that way. >>> >>> Before rsyslog starting using gnutls, the work-around was to use >>> stunnel and run the logging traffic through stunnel. This still works. >>> >>> Patches to improve the control over gnutls would be very much welcome, >>> but the trouble if that there is already far too much confusion over >>> getting it to work, so just adding all the possible config options >>> with good explinations over what's what and when it should be used >>> would only increase the confusion. >>> >>> Someone who really knows this library could probably identify a >>> smallish subset of the options that we really should support and >>> provide some sort of explination as to what they mean pretty easily. >>> >>> >>> Unfortunatly this is why so many TLS related questions go unanswered >>> for a while here on the list. >>> >>> David Lang >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
