[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SoC: Improve syslogd
Joerg Sonnenberger schrieb:
I think for syslogd it is sufficient to use one global list of trusted
I don't like to force that. Either specify a global certificate list and
allow each entry to match the common name or allow individual
> certificates for each entry.
Having the certificates is only one part of verification -- of course
every connecting hostname/IP has to match its certificate.
I really want syslogd and its configuration to remain simple.
It is certainly possible to configure every source and destination
seperately with its own certificate, allowed hostnames, buffer sizes
etc. -- but IMHO that is a task for syslog-ng or other applications from
pkgsrc, not the default daemon from the base system.
A sane default behaviour would be to use
the entry and protocol from the config file and match that against the
certificate. E.g. look for sctp://example.net as common name.
I do not think the used transport protocol should be part of a x.509
certificate. Checks will be against the common name and the
subjectAltName with DNS and IP entries.
Main Index |
Thread Index |