From c040fa8ef5f8cd87855f29d80aadd78a47ffcefc Mon Sep 17 00:00:00 2001
From: Bernd Ahlers <bernd@users.noreply.github.com>
Date: Fri, 23 Jul 2021 09:25:44 +0200
Subject: [PATCH] Add notes about TLS cipher changes in 4.1 (#1198)

---
 pages/upgrade/graylog-4.1.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pages/upgrade/graylog-4.1.rst b/pages/upgrade/graylog-4.1.rst
index c5b10901..66abac2a 100644
--- a/pages/upgrade/graylog-4.1.rst
+++ b/pages/upgrade/graylog-4.1.rst
@@ -10,6 +10,19 @@ Upgrading to Graylog 4.1.x
 
 .. warning:: Please make sure to create a MongoDB database backup before starting the upgrade to Graylog 4.1!
 
+TLS Changes
+===========
+
+Graylog is now using only ciphers that considered secure (at this time of writing) when TLS v1.2 or greater is enabled. (see `#10653 <https://github.com/Graylog2/graylog2-server/pull/10653>`__ and `#10985 <https://github.com/Graylog2/graylog2-server/pull/10985>`__) Only TLSv1.2 and TLSv1.3 are enabled in the default Graylog configuration.
+
+This could lead to problems with legacy TLS implementations connecting to Graylog. (e.g. older Syslog daemon versions connecting to a Graylog Syslog input)
+
+To enable older ciphers again and work around problems with legacy TLS implementations, the ``enabled_tls_protocols`` option can be adjusted to include TLS v1.1.
+
+Example::
+
+    enabled_tls_protocols = TLSv1.1,TLSv1.2
+
 Breaking Changes
 ================