Open HenryTheSir opened 4 years ago
In 3.0 we switched to a new Netty version, which is using tcnative by default for performance reasons. This is the bug responsible: https://github.com/netty/netty-tcnative/issues/530
You could configure transport_netty_tls_provider = jdk
as a workaround.
Since Graylog 3.1/3.0 the used SSL Ciphers are not configurable. Before 3.1/3.0 the SSL Ciphers could be configured via a separate security.props (as described here: https://docs.graylog.org/en/3.1/pages/configuration/https.html#disabling-specific-tls-ciphers-and-algorithms ) In newer Versions it is only possible to configure the used SSL Versions but not explicit the Ciphers which should be used
Expected Behavior
Used SSL Version and SSL Ciphers are configurable via Graylog.conf, Java Property or specific openssl.cnf file
Current Behavior
Only SSL Version is configurable via Configuration. The Ciphers which are used depend on JDK and allowed SSL Versions. A specific security.props or a specific openssl.cnf for the graylog process are not honored
Possible Solution
Implement configurable SSL Ciphers.
Steps to Reproduce (for bugs)
Context
Compliance Guidelines may predefine which cipher suites are considered safe and all other cipher suites need to be disabled.
Your Environment