Solved: What System TLS Configuration do?

saitoh

Hi all,

I found presumably newly-added setting, which is System TLS Configuration under System Management > System Logging.

What kind of behaviour can be configured here? I cannot find a detailed document.

Thanks!

Saitoh

sliver bullet: casting repero or tossing it into the harbor

Chris_Atkinson

These are the Syslog over TLS settings, please refer: Configuring System Logging in Gaia Portal

CCSM R77/R80/ELITE

View solution in original post

the_rock

There you go, my friend...greetings for Japan : - )

Andy

************************************

The System TLS Configuration setting you're referring to—found under System Management > System Logging—likely relates to how Transport Layer Security (TLS) is used to secure system log transmissions, especially when logs are sent to remote servers (e.g., syslog over TLS). While the exact behavior can vary depending on the platform (e.g., Windows Server, Cisco NX-OS, Juniper OS), here's a general overview of what can be configured under such a setting:

🔐 What System TLS Configuration Typically Does

Enable Secure Log Transmission:
- TLS encrypts log messages sent from the system to a remote syslog server, ensuring confidentiality and integrity.
Configure Authentication Modes:
- Server Authentication: The client verifies the identity of the server.
- Mutual Authentication: Both client and server verify each other using certificates.
Certificate Management:
- You can specify which X.509 certificates are used for authentication.
- Configure trusted Certificate Authorities (CAs).
- Set up certificate mapping (e.g., one-to-one or many-to-one user mappings).
TLS Protocol and Cipher Suite Settings:
- Define which versions of TLS are allowed (e.g., TLS 1.2, TLS 1.3).
- Control cipher suite order and availability for secure communication.
Session Caching and Timeout Settings:
- Configure how long TLS sessions are cached to improve performance.
- Adjust cache size and timeout intervals.
OCSP Stapling and Trusted Issuer Lists:
- Enable or disable OCSP stapling for certificate revocation checks.
- Decide whether to send a list of trusted certificate authorities to clients.

🧩 Example Use Case

If you're using Windows Server, these settings are managed via the Schannel Security Support Provider (SSP). You can configure them using:

Registry keys (e.g., HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL)
Group Policy
PowerShell

For example, enabling mutual TLS for syslog might involve:

Installing certificates on both client and server.
Configuring the syslog daemon to use TLS.
Setting registry keys or configuration files to enforce TLS-only connections.

Best,
Andy

View solution in original post

Chris_Atkinson

These are the Syslog over TLS settings, please refer: Configuring System Logging in Gaia Portal

CCSM R77/R80/ELITE

the_rock

There you go, my friend...greetings for Japan : - )

Andy

************************************

The System TLS Configuration setting you're referring to—found under System Management > System Logging—likely relates to how Transport Layer Security (TLS) is used to secure system log transmissions, especially when logs are sent to remote servers (e.g., syslog over TLS). While the exact behavior can vary depending on the platform (e.g., Windows Server, Cisco NX-OS, Juniper OS), here's a general overview of what can be configured under such a setting:

🔐 What System TLS Configuration Typically Does

Enable Secure Log Transmission:
- TLS encrypts log messages sent from the system to a remote syslog server, ensuring confidentiality and integrity.
Configure Authentication Modes:
- Server Authentication: The client verifies the identity of the server.
- Mutual Authentication: Both client and server verify each other using certificates.
Certificate Management:
- You can specify which X.509 certificates are used for authentication.
- Configure trusted Certificate Authorities (CAs).
- Set up certificate mapping (e.g., one-to-one or many-to-one user mappings).
TLS Protocol and Cipher Suite Settings:
- Define which versions of TLS are allowed (e.g., TLS 1.2, TLS 1.3).
- Control cipher suite order and availability for secure communication.
Session Caching and Timeout Settings:
- Configure how long TLS sessions are cached to improve performance.
- Adjust cache size and timeout intervals.
OCSP Stapling and Trusted Issuer Lists:
- Enable or disable OCSP stapling for certificate revocation checks.
- Decide whether to send a list of trusted certificate authorities to clients.

🧩 Example Use Case

If you're using Windows Server, these settings are managed via the Schannel Security Support Provider (SSP). You can configure them using:

Registry keys (e.g., HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL)
Group Policy
PowerShell

For example, enabling mutual TLS for syslog might involve:

Installing certificates on both client and server.
Configuring the syslog daemon to use TLS.
Setting registry keys or configuration files to enforce TLS-only connections.

Best,
Andy

saitoh

Dear @Chris_Atkinson , and @the_rock ,

Thanks for sharing the document, and unbelievably detailed explanation!!

Much appreciated, and big respect for you and the time which it took you to acquire this level of knowledge.

Saitoh

sliver bullet: casting repero or tossing it into the harbor

the_rock

Greetings to you and Japan, brother!

Best,

Andy

Best,
Andy

Are you a member of CheckMates?

What System TLS Configuration do?

🔐 What System TLS Configuration Typically Does

🧩 Example Use Case

🔐 What System TLS Configuration Typically Does

🧩 Example Use Case