tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd

OK, I'll follow these, good read. One comment:

>I can also imagine to have a default modus 'TLS if available', where
all network destinations
>(@ are read at startup, then it is tried to establish a TLS
connection, and if TLS fails
>it falls back to UDP.

I personally think this is dangerous, because a man in the middle can
simply deny TLS and thus force the sender to use UDP (btw: why not
fall back to plain TCP in this case?) HOWEVER, user's will obviously
love this option, and from an operations point of view it can make
much sense. I have to admit that rsyslog does a similar thing with
GSSAPI, where it, too, falls back if GSSAPI encryption is not

I have not yet decided how I will handle this for TLS. The current
implementation requires TLS and does not allow fallback. I think about
adding a user-configurable option to permit a fallback to non-TLS
transfer. But does that make sense? syslog-transport-tls does not talk
about this at all (maybe it should...).

Comments appreciated.


On Tue, May 6, 2008 at 1:13 PM, Martin Schütte <> 
> Rainer Gerhards schrieb:
> > Is there a mailing list for your project? I would really like to
> > follow up on how you progress and I think you have some good ideas
> >
>  There is no mailinglist. The best way to follow the project is to follow
> either
>  - the netbsd-soc page where I will publish somewhat 'finished' milestones
> and documentation (, or
>  - my development Trac where I try to update often and early
>  (, also has an RSS
> feed).
>  --
>  Martin

Home | Main Index | Thread Index | Old Index