Summary
On Friday, June 12, 2015, Papertrail will remove support for the outdated
security protocol SSL 3.0, which was released in 1996 and has since been
superseded by TLS.
TLS is automatically used by nearly all modern loggers that can send
encrypted log messages, so for the vast majority of customers this
change will have no impact. However, there are exceptions to this which
are explained in the next section.
In addition to this blog post, next week, we’ll directly email all
customers who we believe will or are likely to be affected.
Update: On May 29, 2015, the SSL 3.0 retirement date was changed from
June 5 to June 12.
What action do I need to take?
For clear text logging (which includes all UDP logging and some TCP
logging), no changes are necessary.
For those sending log messages in an encrypted form using nxlog, an
upgrade to 2.9.1347 will be needed. Other loggers may also be
affected, but at this time we aren’t aware of any. Next week,
we’ll directly email all customers who we believe will or may be
affected, and will work with anyone that needs help upgrading or
switching to an alternative logger that supports at least TLS 1.0.
If you’re concerned that you may be impacted, won’t be able to upgrade
affected senders by June 5th, or have other questions, please email us.
Why is this happening now?
On October 14, 2014, the POODLE vulnerability was publicly disclosed. It
described how a man-in-the-middle attack could be performed that
would reveal plain text data from an encrypted log packet transmitted
via SSL 3.0. This attack illustrates a fundamental flaw in the protocol
which cannot be properly patched. As a result, most vendors released
updates which disabled it.
In accordance with best security practices, Papertrail applied this
patch to all web servers and log ingestion points on the same day that
POODLE was announced. However, due to a misconfiguration, SSL 3.0
remained enabled on the latter and was deactivated in the last few weeks
as part of an unrelated patch.
This 2nd update was applied to each ingestion point over several days,
which meant that some syslog endpoints were patched while others weren’t. Due to DNS round robin, some nxlog clients would successfully connect to the unpatched endpoints while others would fail to connect to the patched.
After every ingestion point had been updated, it was discovered that
recent versions of nxlog only support encrypted logging via SSL 3.0 and
thus could not establish a secure connection to patched endpoints.
After speaking with customers, we decided to re-enable SSL 3.0 to
provide a reasonable amount of time for loggers to be upgraded. We will
be disabling SSL 3.0 again on June 5th.
If you have any questions, please email us.