Re: SoC: Improve syslogd

[Martin Schütte <lists%mschuette.name@localhost>]

Joerg Sonnenberger schrieb:
> > I think for syslogd it is sufficient to use one global list of trusted 
> > certificates/fingerprints.
> I don't like to force that. Either specify a global certificate list and
> allow each entry to match the common name  or allow individual
> certificates for each entry.

Having the certificates is only one part of verification -- of course 
every connecting hostname/IP has to match its certificate.

I really want syslogd and its configuration to remain simple.
It is certainly possible to configure every source and destination 
seperately with its own certificate, allowed hostnames, buffer sizes 
etc. -- but IMHO that is a task for syslog-ng or other applications from 
pkgsrc, not the default daemon from the base system.

> A sane default behaviour would be to use
> the entry and protocol from the config file and match that against the
> certificate. E.g. look for sctp://example.net as common name.

I do not think the used transport protocol should be part of a x.509 
certificate. Checks will be against the common name and the 
subjectAltName with DNS and IP entries.

--
Martin