Re: SoC: Improve syslogd

["Rainer Gerhards" <rgerhards%gmail.com@localhost>]

On Mon, May 26, 2008 at 9:53 PM, Joerg Sonnenberger
<joerg%britannica.bec.de@localhost> wrote:
> On Mon, May 26, 2008 at 09:39:34PM +0200, Rainer Gerhards wrote:
>> What I do still not fully understand (now) is how you would like to
>> have a client authenticate the server. Just based on the @@<hostname>.
>> If so, how do you do fingerprints?
>
> A single certificate for the client should be good enough as starting
> point. Selecting the key per host might be useful in edge cases, but I
> don't think it is required initially.

Well ... depends if Martin intends to implement the (upcoming)
standard or not. The standard demands that each server is
authenticated. It doesn't demand that operators really use that, but
the implementation must support it and do so by default.

If fingerprint authentication is really mandated is currently being discussed.

>
>> As a side-note, have you already made up your mind which TLS library
>> you will probably use?
>
> Given that OpenSSL is the only implementation in NetBSD...

A convincing point ;)

Is it actually the only TLS library or is it the default one (so no
GnuTLS or NSS)? If its the only one, that means I need to implement an
OpenSSL stream driver in order to provide that functionality on
NetBSD, too ;) Good to know as early as possible.

Rainer