tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd



Joerg Sonnenberger schrieb:
I think for syslogd it is sufficient to use one global list of trusted certificates/fingerprints.
I don't like to force that. Either specify a global certificate list and
allow each entry to match the common name  or allow individual
> certificates for each entry.

Having the certificates is only one part of verification -- of course every connecting hostname/IP has to match its certificate.

I really want syslogd and its configuration to remain simple.
It is certainly possible to configure every source and destination seperately with its own certificate, allowed hostnames, buffer sizes etc. -- but IMHO that is a task for syslog-ng or other applications from pkgsrc, not the default daemon from the base system.

A sane default behaviour would be to use
the entry and protocol from the config file and match that against the
certificate. E.g. look for sctp://example.net as common name.

I do not think the used transport protocol should be part of a x.509 certificate. Checks will be against the common name and the subjectAltName with DNS and IP entries.

--
Martin


Home | Main Index | Thread Index | Old Index