This allows setting which TLS versions are usable by syslogd. Some
environments require that TLSv1.0 is disabled. Manual wording stolen from
ftp(1). any comments? ok?
Index: syslogd.8
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.60
diff -u -p -r1.60 syslogd.8
--- syslogd.8 27 Sep 2018 08:33:25 -0000 1.60
+++ syslogd.8 9 Oct 2021 20:27:37 -0000
@@ -51,6 +51,7 @@
.Op Fl S Ar listen_address
.Op Fl s Ar reporting_socket
.Op Fl T Ar listen_address
+.Op Fl t Ar tls_protocols
.Op Fl U Ar bind_address
.Ek
.Sh DESCRIPTION
@@ -155,6 +156,12 @@ There is no well-known port for syslog o
must be specified using the
.Ar host : Ns Ar port
syntax.
+.It Fl t Ar tls_protocols
+Specify the TLS protocols that will be supported by
+.Nm
+(see
+.Xr tls_config_parse_protocols 3
+for details).
.It Fl U Ar bind_address
Create a UDP socket for receiving messages and bind it to the
specified address.
Index: syslogd.c
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.270
diff -u -p -r1.270 syslogd.c
--- syslogd.c 19 Sep 2021 10:17:36 -0000 1.270
+++ syslogd.c 9 Oct 2021 20:27:37 -0000
@@ -373,6 +373,7 @@ main(int argc, char *argv[])
char **path_unix, *path_ctlsock;
char **bind_host, **bind_port, **listen_host, **listen_port;
char *tls_hostport, **tls_host, **tls_port;
+ uint32_t tls_protocols = TLS_PROTOCOLS_ALL;
/* block signal until handler is set up */
sigemptyset(&sigmask);
@@ -392,7 +393,7 @@ main(int argc, char *argv[])
nbind = nlisten = ntls = 0;
while ((ch = getopt(argc, argv,
- "46a:C:c:dFf:hK:k:m:nP:p:rS:s:T:U:uVZ")) != -1) {
+ "46a:C:c:dFf:hK:k:m:nP:p:rS:s:T:t:U:uVZ")) != -1) {
switch (ch) {
case '4': /* disable IPv6 */
Family = PF_INET;
@@ -463,6 +464,11 @@ main(int argc, char *argv[])
address_alloc("listen", optarg, &listen_host,
&listen_port, &nlisten);
break;
+ case 't': /* specify protocols for TLS */
+ if (tls_config_parse_protocols(&tls_protocols, optarg)
+ != 0)
+ errx(1, "failed to parse TLS protocols");
+ break;
case 'U': /* allow udp only from address */
address_alloc("bind", optarg, &bind_host, &bind_port,
&nbind);
@@ -645,7 +651,7 @@ main(int argc, char *argv[])
log_warnx("options -c and -k must be used together");
}
if (tls_config_set_protocols(client_config,
- TLS_PROTOCOLS_ALL) != 0)
+ tls_protocols) != 0)
log_warnx("set client TLS protocols: %s",
tls_config_error(client_config));
if (tls_config_set_ciphers(client_config, "all") != 0)
@@ -695,7 +701,7 @@ main(int argc, char *argv[])
tls_config_verify_client(server_config);
}
if (tls_config_set_protocols(server_config,
- TLS_PROTOCOLS_ALL) != 0)
+ tls_protocols) != 0)
log_warnx("set server TLS protocols: %s",
tls_config_error(server_config));
if (tls_config_set_ciphers(server_config, "compat") != 0)
