On Sat, Oct 09, 2021 at 09:36:01PM +0100, Stuart Henderson wrote:
> This allows setting which TLS versions are usable by syslogd. Some
> environments require that TLSv1.0 is disabled. Manual wording stolen from
> ftp(1). any comments? ok?
netcat and ftp allow to give TLS options as key=value. Maybe we
want that here, otherwise we could run out of option letters. Do
our users want specific ciphers or other things?
Is it wise to set the same options for client and server TLS?
When syslogd is relaying messages from dumb devices with broken TLS
stacks to modern SIEM systems, the requirements on both sides are
different. I avoided to dive too deeply into this question by using
sane defaults. I use "all" or "compat" cipher lists.
It seems for your use case the defaults do not match.
Do you need TLS 1.0 disabled for receiving or sending side?
bluhm
> Index: syslogd.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/syslogd/syslogd.8,v
> retrieving revision 1.60
> diff -u -p -r1.60 syslogd.8
> --- syslogd.8 27 Sep 2018 08:33:25 -0000 1.60
> +++ syslogd.8 9 Oct 2021 20:27:37 -0000
> @@ -51,6 +51,7 @@
> .Op Fl S Ar listen_address
> .Op Fl s Ar reporting_socket
> .Op Fl T Ar listen_address
> +.Op Fl t Ar tls_protocols
> .Op Fl U Ar bind_address
> .Ek
> .Sh DESCRIPTION
> @@ -155,6 +156,12 @@ There is no well-known port for syslog o
> must be specified using the
> .Ar host : Ns Ar port
> syntax.
> +.It Fl t Ar tls_protocols
> +Specify the TLS protocols that will be supported by
> +.Nm
> +(see
> +.Xr tls_config_parse_protocols 3
> +for details).
> .It Fl U Ar bind_address
> Create a UDP socket for receiving messages and bind it to the
> specified address.
> Index: syslogd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.270
> diff -u -p -r1.270 syslogd.c
> --- syslogd.c 19 Sep 2021 10:17:36 -0000 1.270
> +++ syslogd.c 9 Oct 2021 20:27:37 -0000
> @@ -373,6 +373,7 @@ main(int argc, char *argv[])
> char **path_unix, *path_ctlsock;
> char **bind_host, **bind_port, **listen_host, **listen_port;
> char *tls_hostport, **tls_host, **tls_port;
> + uint32_t tls_protocols = TLS_PROTOCOLS_ALL;
>
> /* block signal until handler is set up */
> sigemptyset(&sigmask);
> @@ -392,7 +393,7 @@ main(int argc, char *argv[])
> nbind = nlisten = ntls = 0;
>
> while ((ch = getopt(argc, argv,
> - "46a:C:c:dFf:hK:k:m:nP:p:rS:s:T:U:uVZ")) != -1) {
> + "46a:C:c:dFf:hK:k:m:nP:p:rS:s:T:t:U:uVZ")) != -1) {
> switch (ch) {
> case '4': /* disable IPv6 */
> Family = PF_INET;
> @@ -463,6 +464,11 @@ main(int argc, char *argv[])
> address_alloc("listen", optarg, &listen_host,
> &listen_port, &nlisten);
> break;
> + case 't': /* specify protocols for TLS */
> + if (tls_config_parse_protocols(&tls_protocols, optarg)
> + != 0)
> + errx(1, "failed to parse TLS protocols");
> + break;
> case 'U': /* allow udp only from address */
> address_alloc("bind", optarg, &bind_host, &bind_port,
> &nbind);
> @@ -645,7 +651,7 @@ main(int argc, char *argv[])
> log_warnx("options -c and -k must be used together");
> }
> if (tls_config_set_protocols(client_config,
> - TLS_PROTOCOLS_ALL) != 0)
> + tls_protocols) != 0)
> log_warnx("set client TLS protocols: %s",
> tls_config_error(client_config));
> if (tls_config_set_ciphers(client_config, "all") != 0)
> @@ -695,7 +701,7 @@ main(int argc, char *argv[])
> tls_config_verify_client(server_config);
> }
> if (tls_config_set_protocols(server_config,
> - TLS_PROTOCOLS_ALL) != 0)
> + tls_protocols) != 0)
> log_warnx("set server TLS protocols: %s",
> tls_config_error(server_config));
> if (tls_config_set_ciphers(server_config, "compat") != 0)
