diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | doc/imrelp.html | 10 | ||||
| -rw-r--r-- | plugins/imrelp/imrelp.c | 8 |
4 files changed, 22 insertions, 1 deletions
@@ -1,5 +1,8 @@ --------------------------------------------------------------------------- Version 7.5.1 [devel] 2013-06-?? +- imrelp: + * new parameter "compression.dhbits" to control the number of + bits being used for Diffie-Hellman key generation - added experimental TCP stream compression (imptcp only, currently) - added BSD-specific syslog facilities * "console" diff --git a/configure.ac b/configure.ac index 53900b61..56457c05 100644 --- a/configure.ac +++ b/configure.ac @@ -999,7 +999,7 @@ AC_ARG_ENABLE(relp, [enable_relp=no] ) if test "x$enable_relp" = "xyes"; then - PKG_CHECK_MODULES(RELP, relp >= 1.1.1) + PKG_CHECK_MODULES(RELP, relp >= 1.1.2) fi AM_CONDITIONAL(ENABLE_RELP, test x$enable_relp = xyes) diff --git a/doc/imrelp.html b/doc/imrelp.html index 11894668..80117299 100644 --- a/doc/imrelp.html +++ b/doc/imrelp.html @@ -49,6 +49,16 @@ The controls if the TLS stream should be compressed (zipped). While this increases CPU use, the network bandwidth should be reduced. Note that typical text-based log records usually compress rather well. </li> +<li><b>tls.dhbits</b> (not mandatory, integer)<br> +This setting controls how many bits are used for Diffie-Hellman key +generation. If not set, the librelp default is used. For secrity +reasons, at least 1024 bits should be used. Please note that the number +of bits must be supported by GnuTLS. If an invalid number is given, rsyslog +will report an error when the listener is started. We do this to be transparent +to changes/upgrades in GnuTLS (to check at config processing time, we would need +to hardcode the supported bits and keep them in sync with GnuTLS - this is +even impossible when custom GnuTLS changes are made...). +</li> </ul> <b>Caveats/Known Bugs:</b> <ul> diff --git a/plugins/imrelp/imrelp.c b/plugins/imrelp/imrelp.c index 7fa98617..100574b1 100644 --- a/plugins/imrelp/imrelp.c +++ b/plugins/imrelp/imrelp.c @@ -76,6 +76,7 @@ struct instanceConf_s { uchar *pszBindPort; /* port to bind to */ sbool bEnableTLS; sbool bEnableTLSZip; + int dhBits; struct instanceConf_s *next; }; @@ -104,6 +105,7 @@ static struct cnfparamblk modpblk = static struct cnfparamdescr inppdescr[] = { { "port", eCmdHdlrString, CNFPARAM_REQUIRED }, { "tls", eCmdHdlrBinary, 0 }, + { "tls.dhbits", eCmdHdlrInt, 0 }, { "tls.compression", eCmdHdlrBinary, 0 } }; static struct cnfparamblk inppblk = @@ -171,6 +173,7 @@ createInstance(instanceConf_t **pinst) inst->pszBindPort = NULL; inst->bEnableTLS = 0; inst->bEnableTLSZip = 0; + inst->dhBits = 0; /* node created, let's add to config */ if(loadModConf->tail == NULL) { @@ -240,6 +243,9 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst) if(inst->bEnableTLSZip) { relpSrvEnableTLSZip(pSrv); } + if(inst->dhBits) { + relpSrvSetDHBits(pSrv, inst->dhBits); + } } CHKiRet(relpEngineListnerConstructFinalize(pRelpEngine, pSrv)); @@ -276,6 +282,8 @@ CODESTARTnewInpInst inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); } else if(!strcmp(inppblk.descr[i].name, "tls")) { inst->bEnableTLS = (unsigned) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "tls.dhbits")) { + inst->dhBits = (unsigned) pvals[i].val.d.n; } else if(!strcmp(inppblk.descr[i].name, "tls.compression")) { inst->bEnableTLSZip = (unsigned) pvals[i].val.d.n; } else { |