Comments (6)
Sorry to let this sit for so long. I don't see a reason why we wouldn't just go to at least 1.2 at this point.
from broker.
Hmmm... The above change didn't actually stop TLS 1.0 or 1.1 connections.
That change only affects the zeek-to-zeek (binary) connections. I'll look into the WS part.
@timwoj, @ckreibich: do you guys see a reason to make this configurable or can we simply put TLS 1.2 as the minimum (for both native and WebSocket)?
from broker.
Hmmm... The above change didn't actually stop TLS 1.0 or 1.1 connections. Below is a simplified test (note that ZeekPort is set to 7760 in zeekctl.cfg).
#!/bin/bash
for PROTO in tls1 tls1_1 tls1_2 tls1_3 ; do
echo "Testing $PROTO"
openssl s_client -connect 0.0.0.0:7761 -$PROTO 2>/dev/null | grep Protocol
echo "Result $?"
done
The output shows that TLS 1.0 and 1.1 connections are valid, even with the above code change to broker.
Testing tls1
Protocol : TLSv1
Result 0
Testing tls1_1
Protocol : TLSv1.1
Result 0
Testing tls1_2
Protocol : TLSv1.2
Result 0
Testing tls1_3
Result 1
from broker.
@MMChrisHinshaw your patch actually should affect both binary and WebSocket connections.
This is the output for me locally:
$ bash test.bash
Testing tls1
Result 1
Testing tls1_1
Result 1
Testing tls1_2
Protocol : TLSv1.2
Result 0
Testing tls1_3
Result 1
However, it doesn't matter whether I apply your patch or not. Looks like my OpenSSL version reject older protocols by default. What system did you test on?
from broker.
I want to say this was RHEL8, but am not 100% on that.
What I'm also unsure of is whether the system minimum was set to 1.2.
In either case, it would be great to have a config option in Zeek to be able to control.
from broker.
I've merged the PR, so TLS 1.2 should be enforced as minimum going forward. However, I could not verify this. The CentOS 8 docker image seems to be dead/EOL, so I couldn't use that for validation. CentOS steram 9 and other distros I've tried all set the OpenSSL minimum to 1.2 at the system level, so the patch didn't make a difference.
from broker.
Related Issues (20)
- Introduce versioning for the Zeek-layer serialization format
- Generic mechanism to add metadata to Zeek events.
- Websocket API: holes in vectors not preseved HOT 3
- docs/websocket: ISO 8601 discrepancies HOT 1
- Broker metrics port setting overriding BROKER_METRICS_PORT env variable HOT 2
- High caf thread utilization with 512 workers and 96 loggers HOT 10
- caf::actor_control_block::enqueue segfault when running supervisor.config-bare-mode test
- Websocket API: messages truncated to 4KB HOT 13
- Allow WebSocket and native clients on the same socket HOT 5
- clang-tidy fails with version 15+ HOT 2
- Metrics scalability performance issue in 6.0 HOT 12
- Resurrect `broker-cluster-benchmark`
- New Broker WebSocket Python bindings
- Make broker::data_envelope::deserialize() for JSON format accessible HOT 1
- Missing compatibility list for Zeek HOT 2
- Broker include broken HOT 4
- Convert Broker to use prometheus-cpp registry from Zeek HOT 1
- Broker message provenance tracking HOT 2
- Allow tapping into Broker logs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from broker.