Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request to add additional cipher support for TLS1.2 #20967

Open
luk-kaminski opened this issue Nov 15, 2024 · 3 comments
Open

Request to add additional cipher support for TLS1.2 #20967

luk-kaminski opened this issue Nov 15, 2024 · 3 comments
Assignees
@bernd @kroepke
Labels
feature

Comments

@luk-kaminski
Copy link
Contributor

luk-kaminski commented Nov 15, 2024
edited
Loading

The following should be included in your Feature Request submission into Github. Be sure to set the GitHub label to "feature":

What?

To allow Graylog to use one or more of the following cipher suites with TLS 1.2:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

Graylog is unable to connect to their LDAP servers with only tlsv1.2 enabled because neither server is using the same cipher suites

list of TLS Cipher Suites the graylog client can attempt:

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

If we look at the nmap scan against the active directory server, we can see the list of TLS Cipher suits it will allow:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

Intended Purpose:
To allow customer to disable TLSv1.1, and still be able to connect to their Active directory servers.

Expected Outcome:
To allow customer to disable TLSv1.1, and still be able to connect to their Active directory servers.

Why?

Business Impact:
Customer currently unable to disable TLSv1.1, and believe that their team won't be able to enable any ciphers on their LDAP servers.

Your Environment

Graylog Version: 5.2.9
@GL-Stockman
Copy link

@luk-kaminski The body of this issue appears to have been pasted from another issue about audit log, and not the cipher request.

@luk-kaminski
Copy link
Contributor Author

@GL-Stockman - Thanks and sorry!

@drewmiranda-gl
Copy link
Member

drewmiranda-gl commented Nov 15, 2024
edited
Loading

Kay and I talked through and did some troubleshooting:

Resolved by adding the following to JVM settings

GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dcom.unboundid.util.ssl.TLSCipherSuiteSelector.allowRSAKeyExchange=true"

Adding this DOES require a restart of the graylog-server service.

Before adding this setting we can see in this packet capture of the TLS Client hello packet originating from the Graylog server:
Image

After adding this:
Image

Note the addition of 2 new ciphersuites:

  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bernd bernd

@kroepke kroepke

Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bernd @kroepke @luk-kaminski @drewmiranda-gl @GL-Stockman