tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SoC: Improve syslogd
OK, I'll follow these, good read. One comment:
>I can also imagine to have a default modus 'TLS if available', where
all network destinations
>(@10.1.2.3) are read at startup, then it is tried to establish a TLS
connection, and if TLS fails
>it falls back to UDP.
I personally think this is dangerous, because a man in the middle can
simply deny TLS and thus force the sender to use UDP (btw: why not
fall back to plain TCP in this case?) HOWEVER, user's will obviously
love this option, and from an operations point of view it can make
much sense. I have to admit that rsyslog does a similar thing with
GSSAPI, where it, too, falls back if GSSAPI encryption is not
available.
I have not yet decided how I will handle this for TLS. The current
implementation requires TLS and does not allow fallback. I think about
adding a user-configurable option to permit a fallback to non-TLS
transfer. But does that make sense? syslog-transport-tls does not talk
about this at all (maybe it should...).
Comments appreciated.
Rainer
On Tue, May 6, 2008 at 1:13 PM, Martin Schütte <lists%mschuette.name@localhost>
wrote:
> Rainer Gerhards schrieb:
>
>
> > Is there a mailing list for your project? I would really like to
> > follow up on how you progress and I think you have some good ideas
> >
>
> There is no mailinglist. The best way to follow the project is to follow
> either
> - the netbsd-soc page where I will publish somewhat 'finished' milestones
> and documentation (http://netbsd-soc.sourceforge.net/projects/syslogd/), or
> - my development Trac where I try to update often and early
> (https://barney.cs.uni-potsdam.de/trac/syslogd/timeline, also has an RSS
> feed).
>
> --
> Martin
>
Home |
Main Index |
Thread Index |
Old Index