How to configure syslog_drain_binder with custom cipher suites

Question

How to configure syslog_drain_binder with custom cipher suites

petergtz opened this issue 7 years ago · comments

I found a bug - here are some steps to recreate it.
I have an idea for a new feature - please document as "As a user, I would
like to..."
I am having trouble getting setup, understanding documentation, or using
Loggregator in some way - please highlight any resources you are using.
This is an architecture change that will result in cleaner more efficient
code - Tell us why you think this is a good idea.

Hi,

given that commit cloudfoundry/loggregator@371b5f0 removed the possibility to configure custom cipher suites for the syslog_drain_binder, what is the recommended way to do this now?

Thanks,
Peter

/cc @smoser-ibm

cf-gitbot · Answer 1 · Wed Aug 23 2017 21:20:04 GMT+0800 (China Standard Time)

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/150479955

The labels on this github issue will be updated when the story is started.

Jason Keene · Answer 2 · Tue Aug 29 2017 03:53:11 GMT+0800 (China Standard Time)

You should not need to configure cipher suites for syslog_drain_binder. The syslog_drain_binder is a client to both etcd and cloud controller. It accepts whatever cipher suites those servers negotiate. We removed this property since we want clients to be permissive.

Do you have a use case for syslog_drain_binder to need configurable cipher suites?

Peter Götz · Answer 3 · Tue Aug 29 2017 21:15:46 GMT+0800 (China Standard Time)

@jasonkeene We have clients that use Nagios Log Server via syslog-tls. That setup broke with an update to CF 253. To fix it, it was enough to change the cipher suite on the Nagios Log Server to contain

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

But this is not always possible, e.g. when the service is not self-hosted.

So please correct me if I'm wrong, but it looks like the cipher suite is hard coded on CF side.

Jason Keene · Answer 4 · Wed Aug 30 2017 01:06:42 GMT+0800 (China Standard Time)

You might be running a version of Doppler that enforces cipher suites when talking via TLS to syslog drains. If so that is was bug. I'm fairly sure it is not in the product anymore. I will double check though.

Jason Keene · Answer 5 · Wed Aug 30 2017 01:15:10 GMT+0800 (China Standard Time)

I just double checked and the way we create TLS config for syslog writers is via plumbing.NewTLSConfig here: https://github.com/cloudfoundry/loggregator/blob/0910f42b98b306a6a568347c3da9a242b2bc9081/src/code.cloudfoundry.org/loggregator/plumbing/tls.go#L21-L26 It used to set CipherSuites but no longer does.

Peter Götz · Answer 6 · Thu Aug 31 2017 16:51:19 GMT+0800 (China Standard Time)

@jasonkeene Excellent! Thanks for your help.