Return
-
Title
Force TLSv1.2 in Syslog-ng PE -
Description
TLS version 1.2 is required for use in logging with Syslog-ng PE. -
Cause
Vulnerabilities exist in version prior to TLS version 1.2. -
Resolution
General information
- Syslog-ng uses cipher-suite() tls option to specify the enabled encryption algorithm. More information: syslog-ng PE 6, syslog-ng PE 7
- The list of available algorithms depends on the version of OpenSSL used to compile syslog-ng PE.
Details can be found in the Release Notes. Latest version at the time of edit, 7.0.19.
- More information about OpenSSL ciphers.
Syslog-ng PE 6
Enable all TLSv1.2 ciphers, disable ciphers offering null authentication.
cipher-suite("TLSv1.2:!aNULL")
Specific TLSv1.2 cipher suites, ECDHE-RSA.
cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")
Syslog-ng PE 7
In syslog-ng PE 7 ssl-options() is introduced, which currently, can disable specific protocol versions.
The best solution is combing with cipher-suite() option.Enable all TLSv1.2 ciphers, disable ciphers offering null authentication.
cipher-suite("ALL:!aNULL")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)Specific TLSv1.2 cipher suites, ECDHE.
cipher-suite("ECDHE:!aNULL")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)