tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SoC: Improve syslogd
Rainer Gerhards schrieb:
You could always use
*.* @@(mode=tls,whatever-else)server.example.net
Yes, but that would make some future protocol change even harder.
Unless the protocol is always given as a "(option)". :-/
What if I wanted to use a syslog-transport-sctp? Increase to "@@@"?
The bigger question is how you intend to handle the authorization
issues that come along with -transport-tls. For example, how do you
specify the remote client names that a sender is permitted to listen
to. Or how to specify if you use name, fingerprint or anonymous
authentication. The current rsyslog approach works, but is ugly.
I think for syslogd it is sufficient to use one global list of trusted
certificates/fingerprints.
So the configuration can use a single CA cert:
"CACertFile=xyz.cert"
or a directory with trust anchors (trusted CA and/or client certs)
"CertDirectory=/some/path"
To support fingerprints I imagine to either list them in syslog.conf
"CertFingeprints=SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D
SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9F"
or to use the file system and have them inside the CertDirectory to be
added with:
"touch
/some/path/SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D"
--
Martin
Home |
Main Index |
Thread Index |
Old Index