How to configure syslog_drain_binder with custom cipher suites
petergtz opened this issue · comments
- I found a bug - here are some steps to recreate it.
- I have an idea for a new feature - please document as "As a user, I would
like to..." - I am having trouble getting setup, understanding documentation, or using
Loggregator in some way - please highlight any resources you are using. - This is an architecture change that will result in cleaner more efficient
code - Tell us why you think this is a good idea.
Hi,
given that commit cloudfoundry/loggregator@371b5f0 removed the possibility to configure custom cipher suites for the syslog_drain_binder, what is the recommended way to do this now?
Thanks,
Peter
/cc @smoser-ibm
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/150479955
The labels on this github issue will be updated when the story is started.
You should not need to configure cipher suites for syslog_drain_binder. The syslog_drain_binder is a client to both etcd and cloud controller. It accepts whatever cipher suites those servers negotiate. We removed this property since we want clients to be permissive.
Do you have a use case for syslog_drain_binder to need configurable cipher suites?
@jasonkeene We have clients that use Nagios Log Server via syslog-tls. That setup broke with an update to CF 253. To fix it, it was enough to change the cipher suite on the Nagios Log Server to contain
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
But this is not always possible, e.g. when the service is not self-hosted.
So please correct me if I'm wrong, but it looks like the cipher suite is hard coded on CF side.
You might be running a version of Doppler that enforces cipher suites when talking via TLS to syslog drains. If so that is was bug. I'm fairly sure it is not in the product anymore. I will double check though.
I just double checked and the way we create TLS config for syslog writers is via plumbing.NewTLSConfig
here: https://github.com/cloudfoundry/loggregator/blob/0910f42b98b306a6a568347c3da9a242b2bc9081/src/code.cloudfoundry.org/loggregator/plumbing/tls.go#L21-L26 It used to set CipherSuites
but no longer does.
@jasonkeene Excellent! Thanks for your help.