Re: SoC: Improve syslogd

["Rainer Gerhards" <rgerhards%gmail.com@localhost>]

OK, I'll follow these, good read. One comment:

>I can also imagine to have a default modus 'TLS if available', where
all network destinations
>(@10.1.2.3) are read at startup, then it is tried to establish a TLS
connection, and if TLS fails
>it falls back to UDP.

I personally think this is dangerous, because a man in the middle can
simply deny TLS and thus force the sender to use UDP (btw: why not
fall back to plain TCP in this case?) HOWEVER, user's will obviously
love this option, and from an operations point of view it can make
much sense. I have to admit that rsyslog does a similar thing with
GSSAPI, where it, too, falls back if GSSAPI encryption is not
available.

I have not yet decided how I will handle this for TLS. The current
implementation requires TLS and does not allow fallback. I think about
adding a user-configurable option to permit a fallback to non-TLS
transfer. But does that make sense? syslog-transport-tls does not talk
about this at all (maybe it should...).

Comments appreciated.

Rainer

On Tue, May 6, 2008 at 1:13 PM, Martin Schütte <lists%mschuette.name@localhost> 
wrote:
> Rainer Gerhards schrieb:
>
>
> > Is there a mailing list for your project? I would really like to
> > follow up on how you progress and I think you have some good ideas
> >
>
>  There is no mailinglist. The best way to follow the project is to follow
> either
>  - the netbsd-soc page where I will publish somewhat 'finished' milestones
> and documentation (http://netbsd-soc.sourceforge.net/projects/syslogd/), or
>  - my development Trac where I try to update often and early
>  (https://barney.cs.uni-potsdam.de/trac/syslogd/timeline, also has an RSS
> feed).
>
>  --
>  Martin
>