factory-default: Enforce TLSv1.2 and ECDHE-RSA-AES256-GCM-SHA384

2 files changed, 6 insertions, 2 deletions

diff --git a/factory-default/app-admin/syslog-ng-3.17.1/etc/syslog-ng/conf.d/0001-send-via-syslog.conf b/factory-default/app-admin/syslog-ng-3.17.1/etc/syslog-ng/conf.d/0001-send-via-syslog.conf
index 003145d6..69ee5484 100644
--- a/factory-default/app-admin/syslog-ng-3.17.1/etc/syslog-ng/conf.d/0001-send-via-syslog.conf
+++ b/factory-default/app-admin/syslog-ng-3.17.1/etc/syslog-ng/conf.d/0001-send-via-syslog.conf
@@ -3,7 +3,9 @@ destination d_log.pants-on.net {
          transport(tls)
          tls(ca_dir("/etc/ssl/certs")
              peer_verify(required-trusted)
-             cipher-suite(AES256-GCM-SHA384)
+             ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
+             ecdh-curve-list("prime256v1:secp384r1")
+             cipher-suite("ECDHE-RSA-AES256-GCM-SHA384")
             )
         );
 };
diff --git a/factory-default/app-admin/syslog-ng/etc/syslog-ng/conf.d/0001-send-via-syslog.conf b/factory-default/app-admin/syslog-ng/etc/syslog-ng/conf.d/0001-send-via-syslog.conf
index 003145d6..69ee5484 100644
--- a/factory-default/app-admin/syslog-ng/etc/syslog-ng/conf.d/0001-send-via-syslog.conf
+++ b/factory-default/app-admin/syslog-ng/etc/syslog-ng/conf.d/0001-send-via-syslog.conf
@@ -3,7 +3,9 @@ destination d_log.pants-on.net {
          transport(tls)
          tls(ca_dir("/etc/ssl/certs")
              peer_verify(required-trusted)
-             cipher-suite(AES256-GCM-SHA384)
+             ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
+             ecdh-curve-list("prime256v1:secp384r1")
+             cipher-suite("ECDHE-RSA-AES256-GCM-SHA384")
             )
         );
 };