Return
-
Title
Force TLSv1.2 in Syslog-ng PE -
Description
TLS version 1.2 is required for use in logging with Syslog-ng PE. -
Cause
Vulnerabilities exist in version prior to TLS version 1.2. -
Resolution
General information
- Syslog-ng uses cipher-suite() tls option to specify the enabled encryption algorithm.
- The available algorithms list depends on the OpenSSL version used to compile syslog-ng PE.
Details can be found in the Release Notes. Latest version at the time of edit, 7.0.32
- More information about OpenSSL ciphers.
Syslog-ng PE 6
Enable all TLSv1.2 ciphers, disable ciphers offering null authentication.
cipher-suite("TLSv1.2:!aNULL")
Specific TLSv1.2 cipher suites, ECDHE-RSA.
cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")
Syslog-ng PE 7
In syslog-ng PE 7 ssl-options() is introduced, which currently can disable specific protocol versions.
The best solution is combing with cipher-suite() option.Enable all TLSv1.2 ciphers, and disable ciphers offering null authentication.
cipher-suite("ALL:!aNULL")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)Specific TLSv1.2 cipher suites, ECDHE. (IMPORTANT: Check your Organization's Policies on Secure Allowed Protocols)
cipher-suite("ECDHE:!aNULL")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)Example:
destination demo_tls_destination { network("192.168.100.100" port(6514) transport("tls") tls( ca-dir("/etc/syslog-ng/ca.d") key-file("/etc/syslog-ng/cert.d/clientkey.pem") cert-file("/etc/syslog-ng/cert.d/clientcert.pem") cipher-suite("ECDHE:!aNULL") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)) ); };