Add notes about TLS cipher changes in 4.1 (#1198)

Graylog2 · Jul 23, 2021 · c040fa8 · c040fa8
1 parent 5492878
commit c040fa8
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/pages/upgrade/graylog-4.1.rst b/pages/upgrade/graylog-4.1.rst
@@ -10,6 +10,19 @@ Upgrading to Graylog 4.1.x
 
 .. warning:: Please make sure to create a MongoDB database backup before starting the upgrade to Graylog 4.1!
 
+TLS Changes
+===========
+
+Graylog is now using only ciphers that considered secure (at this time of writing) when TLS v1.2 or greater is enabled. (see `#10653 <https://github.com/Graylog2/graylog2-server/pull/10653>`__ and `#10985 <https://github.com/Graylog2/graylog2-server/pull/10985>`__) Only TLSv1.2 and TLSv1.3 are enabled in the default Graylog configuration.
+
+This could lead to problems with legacy TLS implementations connecting to Graylog. (e.g. older Syslog daemon versions connecting to a Graylog Syslog input)
+
+To enable older ciphers again and work around problems with legacy TLS implementations, the ``enabled_tls_protocols`` option can be adjusted to include TLS v1.1.
+
+Example::
+
+    enabled_tls_protocols = TLSv1.1,TLSv1.2
+
 Breaking Changes
 ================