1

We have an existing rsyslog set up using TLS 1.2 We want to upgrade to TLS1.3 ONLY. I've read the other questions here, but when I set everything up, I get no logs.

The result of "openssl ciphers -v | awk '{print $2}' | sort -u" is:

SSLv3
TLSv1
TLSv1.2
TLSv1.3

In /etc/ssh/openssl.cnf I tried added both MinProtocol = TLSv1.3 and MaxProtocol = TLSv1.3.

My rsyslogd -v is: rsyslogd 8.1901.0 (aka 2019.01) compiled with:

PLATFORM:               x86_64-pc-linux-gnu
    PLATFORM (lsb_release -d):      
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    systemd support:            Yes
    Number of Bits in RainerScript integers: 64

On the server side, my logserver.conf in /etc/rsyslog.d is:

$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/rsyslogServer-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/rsyslogServer-key.pem

module(load="imtcp"
        StreamDriver.mode="1"
        StreamDriver.authmode="anon"
        gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3"
)

Does anyone have any ideas about how I can force TLS 1.3 only on my system?

user1309220
  • 13
  • 2

1 Answers1

1

I finally got TLS1.3 to work. For CentOS 7, to use gnutls, install rsyslog-8.29.0-3 and rsyslog-gnutls-8.29.0-3.

Then in my rsyslog.d/tls1.3.conf file I put:

module(load="imtcp"
   StreamDriver.Mode="1"
   StreamDriver.authmode="x509/name"          # we use certs
   gnutlsPriorityString="SECURE128:-VERS-TLS-All:+VERS-TLS1.3"

I tried later versions of rsyslog, but they did not work.

Get the rsyslog rpms from: rsyslog rpms

Hope that helps.

kathyl
  • 46
  • 4