1

I need to disable TLS 1.2 and make sure connection accept TLS version 1.1 cipher suite SHA: AES128 & SHA: AES256. I do not find any supporting documentation to where to define TLS version. I noticed SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 can be defined in HTTPD config to enable/disable TLS version that you want but how do I do the same on rsyslog.

Here are my configs on the server side:

#rsyslogd -v
rsyslogd 8.24.0, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

/etc/rsyslog.conf

##TLS Driver##
$DefaultNetstreamDriver gtls

##TLS Certificate##
$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.crt
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.PEM
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/privatekey.key

module(load="imtcp"
       MaxSessions="2000"
       StreamDriver.mode="1"
       StreamDriver.authmode="x509/name"
       PermittedPeer="*.clientsidehost.com")
input(type="imtcp" port="20514" name="tcp-tls")

The application that I am trying to receive logs from having the following requirement which I am trying to comply. 

 TLS 1.0 & TLS 1.1 supported.
 TLS 1.2 is not supported and it needs to be disabled on your configuration.    
 Cipher Suites SHA:AES128 & SHA: AES256 supported.

Any help would be greatly appreciated

Update:

# openssl ciphers -v | awk '{print $2}' | sort -u
SSLv3
TLSv1.2

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
Improve this question
3
  • What is the ouput of openssl ciphers -v | awk '{print $2}' | sort -u on your RH system? Commented May 19, 2018 at 21:43
  • @RuiFRibeiro Thanks for looking into this. I have updated my response in the question above Commented May 20, 2018 at 1:10
  • It makes no sense for you to disable 1.2; TLS automatically negotiates a common version between client and server and if the client only supports 1.1 it'll get 1.1. Do you have an example of this actually not working, preferably a wire trace (such as tcpdump) to show exactly what they're requesting? Commented May 22, 2018 at 3:34

1 Answer 1

Reset to default
1

Using a recent Linux distribution as RHEL 7.0, you will find out openssl does not support TLS 1.0 and TLS 1.1. anymore for security reasons.

As you can see in the openssl ciphers -v output, TLS 1.0 and TLS 1.1 are not listed.

As a solution:

  • ask your supplier to support TLS 1.2, you will need it;
  • use an older RHEL version that supports TLS 1.0 or TLS 1.1, and point your actual syslog to it, if you have other app that needs the new RHEL version;
  • compile a older openssl version + rsyslog by hand;
  • or try to get away installing and older rsyslogd rpm (probably wont work)
  • setup an SSL tunnel as a last temporary measure between you and rsyslog, again with an other version. But for that, better use then rsyslog there.

Obviously, as time goes by, you will need more and more to have TLS 1.2 support in the near future.

Improve this answer
5
  • Isn't rsyslog using GnuTLS as a crypto library? Commented May 20, 2018 at 14:48
  • @Jakuje could be, will double check it out later on Commented May 20, 2018 at 15:09
  • @RuiFRibeiro I still need to know where to disable TLS 1.2 if using older version of OS, Is that manage at compile time of the rsyslog Commented May 20, 2018 at 16:46
  • +1 for the security reasons. I would be surprised if it would be allowed in either crypto library inn RHEL7. But talking about openssl, even through it is not used at all in the cycle is a bit off. Commented May 21, 2018 at 9:22
  • This is nonsense. There is no security reason to drop TLS1.1 and no real reason to drop 1.0 (only BEAST, which proved toothless and is mitigated clientside), although recent OpenSSL releases (at least upstream) do disable SSL3 because POODLE. ciphers -v lists only the lowest protocol version for each ciphersuite, and all suites in 1.0 and 1.1 were also in SSL3 before it was dropped, see stackoverflow.com/questions/27430158 And I don't have RHEL but yes rpmfind shows CentOS (7 and 6) rsyslog using gnutls. Commented May 22, 2018 at 3:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.