Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ossl netstream driver: allow ephemeral Diffie-Hellman key exchange #5323

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ossl netstream driver: allow ephemeral Diffie-Hellman key exchange #5323

wants to merge 1 commit into from

Conversation

Cropi
Copy link
Collaborator

@Cropi Cropi commented Feb 9, 2024
edited

Use well known DH parameters that have built-in support in OpenSSL. From the man page: If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key.

Current situation

Using the ossl netstream driver, I am not able to create an imtcp instance, which uses only the following cipher list (the highlight is on the ephemeral DH exchange part) :

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Configuration snippet:

module(load="imtcp"
  StreamDriver.Mode="1"
  StreamDriver.AuthMode="anon"
  StreamDriver.Name="ossl"
  gnutlsPriorityString="Protocol=-ALL,TLSv1.2\nCipherString=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
  MaxListeners="50")

input(type="imtcp" port="6514")

$DefaultNetstreamDriverCertFile /path/to/server-cert.pem
$DefaultNetstreamDriverKeyFile  /path/to/server-key.pem

The problem is that the requested ciphers are not available even if I delete the priorityString setting. This does not apply to the gtls driver. The following works as expected:

module(load="imtcp"
  StreamDriver.Mode="1"
  StreamDriver.AuthMode="anon"
  StreamDriver.Name="gtls"
  gnutlsPriorityString="SECURE128:+SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-RSA:-CIPHER-ALL:+AES-256-GCM:+AES-128-GCM"
  MaxListeners="50")

input(type="imtcp" port="6514")

$DefaultNetstreamDriverCertFile /path/to/server-cert.pem
$DefaultNetstreamDriverKeyFile  /path/to/server-key.pem

After applying the patch, I used nmap to verify which ciphers are used by an imtcp connection. Using the first rsyslog snippet:

$ nmap --script +ssl-enum-ciphers -p 6514 localhost
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-09 09:41 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000059s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
6514/tcp open  syslog-tls
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

@Cropi Cropi requested a review from alorbach February 9, 2024 14:45
@Cropi
ossl netstream driver: allow ephemeral Diffie-Hellman key exchange
953903f 
Use well known DH parameters that have built-in support in OpenSSL.
From the man page: If "auto" DH parameters are switched on then
the parameters will be selected to be consistent with the size of
the key associated with the server's certificate.  If there is no
certificate (e.g. for PSK ciphersuites), then it it will be
consistent with the size of the negotiated symmetric cipher key.
@Cropi
Copy link
Collaborator Author

Cropi commented Mar 25, 2024

Hello @alorbach and @rgerhards,

Would it be possible to review the PR? Is it going to be part of the project in the future? I would appreciate it. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alorbach alorbach Awaiting requested review from alorbach

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@Cropi