Since Graylog 3.1/3.0 used SSL Ciphers are not configurable

[HenryTheSir]

Since Graylog 3.1/3.0 the used SSL Ciphers are not configurable. Before 3.1/3.0 the SSL Ciphers could be configured via a separate security.props (as described here: https://docs.graylog.org/en/3.1/pages/configuration/https.html#disabling-specific-tls-ciphers-and-algorithms ) In newer Versions it is only possible to configure the used SSL Versions but not explicit the Ciphers which should be used

Expected Behavior

Used SSL Version and SSL Ciphers are configurable via Graylog.conf, Java Property or specific openssl.cnf file

Current Behavior

Only SSL Version is configurable via Configuration. The Ciphers which are used depend on JDK and allowed SSL Versions. A specific security.props or a specific openssl.cnf for the graylog process are not honored

Possible Solution

Implement configurable SSL Ciphers.

Steps to Reproduce (for bugs)

1. Start Graylog
2. Test Cipher Suites
3. ??
4. Used Cipher Suites can not be changed

Context

Compliance Guidelines may predefine which cipher suites are considered safe and all other cipher suites need to be disabled.

Your Environment

• Graylog Version: 3.3.6
• Java Version: 8
• Elasticsearch Version: 6.8.10
• MongoDB Version: doesn't matter
• Operating System: RHEL 7
• Browser version: doesn't matter

[mpfz0r]

In 3.0 we switched to a new Netty version, which is using tcnative by default for performance reasons. This is the bug responsible: https://github.com/netty/netty-tcnative/issues/530

You could configure transport_netty_tls_provider = jdk as a workaround.