tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd



Rainer Gerhards schrieb:
You could always use
*.* @@(mode=tls,whatever-else)server.example.net

Yes, but that would make some future protocol change even harder.
Unless the protocol is always given as a "(option)". :-/

What if I wanted to use a syslog-transport-sctp? Increase to "@@@"?

The bigger question is how you intend to handle the authorization
issues that come along with -transport-tls. For example, how do you
specify the remote client names that a sender is permitted to listen
to. Or how to specify if you use name, fingerprint or anonymous
authentication. The current rsyslog approach works, but is ugly.

I think for syslogd it is sufficient to use one global list of trusted certificates/fingerprints.

So the configuration can use a single CA cert:
"CACertFile=xyz.cert"
or a directory with trust anchors (trusted CA and/or client certs)
"CertDirectory=/some/path"

To support fingerprints I imagine to either list them in syslog.conf
"CertFingeprints=SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9F" or to use the file system and have them inside the CertDirectory to be added with: "touch /some/path/SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D"

--
Martin


Home | Main Index | Thread Index | Old Index