[rsyslog-notify] Forum Thread: Anonymous TLS + GNUTLS prioritystring - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Wed Feb 17 21:57:59 CET 2016 

User: forbiddenlake 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26351#p26351

Message: 
----------
I would like to enable TLS for my rsyslog remote logging at work, but
security requirements mean I:
a) MUST disable SSL 3.0
b) MUST enable TLS 1.2 (1.0 and 1.1 are good too)
c) SHOULD disable RC4 cipher suites
d) SHOULD disable anonyous cipher suites
Also, to be less work, I would like:
e) ANONYMOUS tls

Config:
[code:1aowjcod]global (
        debug.gnutls="10"
# For TCP/TLS
#       defaultNetstreamDriver="gtls"
#      
defaultNetstreamDriverCAFile="/etc/pki/rsyslog/ca-certificates.crt"
#       defaultNetstreamDriverCertFile="/etc/pki/tls/certs/server.crt"
#       defaultNetstreamDriverKeyFile="/etc/pki/tls/certs/server.key"
)
module(load="imtcp")
# TCP/TLS fails for +SSLv3 -TLSv1.2
#module(load="imtcp" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # needs to be done just once
# Plain
input(type="imtcp" port="514")

module(load="imrelp") # needs to be done just once
input(type="imrelp" port="2514" tls="on"
#        tls.dhbits="2048"
#        tls.authMode="fingerprint"
       
tls.prioritystring="NONE:+SECURE128:+VERS-TLS-ALL:-VERS-SSL3.0:+KX-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+SIGN-ALL:+CTYPE-ALL"
#        tls.myCert="/etc/pki/tls/certs/server.crt"
#        tls.myPrivKey="/etc/pki/tls/certs/lserver.key"
#        tls.permittedpeer="*"
)[/code:1aowjcod]

1) [b:1aowjcod]Using imrelp, can I set tls.prioritystring and still allow
anonymous TLS?[/b:1aowjcod]
With only tls="on", it works, but fails for (a) through (d) above.  
If I try to set just tls.prioritystring, it does not work, with "Could not
negotiate a supported cipher suite", no matter how wide I try to make the
priority string.
And I haven't even been able to get it to work with the key & cert stuff
set.

or,
2) [b:1aowjcod]Using gtls driver, can I fulfill the above requirements,
e.g, set the priority string somehow?[/b:1aowjcod]

I am using:
CentOS 7.2
gnutls-3.3.8
rsyslog-8.16.0
librelp-1.2.9

More information about the rsyslog-notify mailing list