Page MenuHomePhabricator
Create Task
Maniphest T351788

Use standard tls version and ciphers for rsyslog
Open, Needs TriagePublic
Actions

Description

As per @Vgutierrez in https://phabricator.wikimedia.org/T351710#9349895

Related Objects

Event Timeline

fgiunchedi created this task.Nov 22 2023, 8:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 22 2023, 8:25 AM
fgiunchedi mentioned this in T351710: ossl rsyslog errors post-migration.Nov 22 2023, 8:25 AM
Vgutierrez added a comment.EditedNov 22 2023, 9:17 AM

Basically we should be using >=TLSv1.2, P-256 as the preferred curve and the following ciphersuites:

'TLS_AES_256_GCM_SHA384',
'TLS_AES_128_GCM_SHA256',
'TLS_CHACHA20_POLY1305_SHA256'
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-CHACHA20-POLY1305',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-CHACHA20-POLY1305',

Given that we are talking about server<-->server traffic and AFAIK we got AES-NI available in the whole fleet the AES ciphersuites should be a tad faster than the CHACHA20 ones (already ordered taking this into account). ciphersuites starting with TLS_ are TLSv1.3 ones

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL