summaryrefslogtreecommitdiffstats
path: root/doc/ns_gtls.html
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-05-21 11:45:40 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2008-05-21 11:45:40 +0200
commit8cb6ec4cee79d41c30d7df38b58ab1f198ac8581 (patch)
tree6350eab90656efdf98716c0520d6aa8a71f40dbd /doc/ns_gtls.html
parent350f28efd97ff8f84fa0c86b5655e1cef8d4596e (diff)
downloadrsyslog-8cb6ec4cee79d41c30d7df38b58ab1f198ac8581.tar.gz
rsyslog-8cb6ec4cee79d41c30d7df38b58ab1f198ac8581.tar.xz
rsyslog-8cb6ec4cee79d41c30d7df38b58ab1f198ac8581.zip
added some forgotten doc
Diffstat (limited to 'doc/ns_gtls.html')
-rw-r--r--doc/ns_gtls.html37
1 files changed, 26 insertions, 11 deletions
diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html
index ff5ed7c3..46e2e238 100644
--- a/doc/ns_gtls.html
+++ b/doc/ns_gtls.html
@@ -11,21 +11,36 @@ library</a>.</p>
<ul>
<li>0 - unencrypted trasmission (just like <a href="ns_ptcp.html">ptcp</a> driver)</li>
<li>1 - TLS-protected operation</li>
-</ul>Note: mode 0 does not provide any benefit over the ptcp driver.
-This mode exists for technical reasons, but should not be used. It may
-be removed in the future.<br><span style="font-weight: bold;">
-Supported Authentication Modes</span><br>
+</ul>
+Note: mode 0 does not provide any benefit over the ptcp driver. This
+mode exists for technical reasons, but should not be used. It may be
+removed in the future.<br>
+<span style="font-weight: bold;">Supported Authentication
+Modes</span><br>
<ul>
-<li><span style="font-weight: bold;">anon</span> - anonymous authentication as
+<li><span style="font-weight: bold;">anon</span>
+- anonymous authentication as
described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li>
-<li><span style="font-weight: bold;">x509/fingerprint</span> - certificate fingerprint authentication as
-described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li><li><span style="font-weight: bold;">x509/name</span> - certificate validation and subject name authentication as
-described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft [NOT YET IMPLEMENTED]</li>
-</ul>Note: "anon" does not permit to authenticate the remote peer. As
-such, this mode is vulnerable to man in the middle attacks as well as
+<li><span style="font-weight: bold;">x509/fingerprint</span>
+- certificate fingerprint authentication as
+described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li>
+<li><span style="font-weight: bold;">x509/name</span>
+- certificate validation and subject name authentication as
+described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
+[NOT YET IMPLEMENTED]</li>
+</ul>
+Note: "anon" does not permit to authenticate the remote peer. As such,
+this mode is vulnerable to man in the middle attacks as well as
unauthorized access. It is recommended NOT to use this mode.<br>
-[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
+<br>
+<b>Known Problems</b><br>
+<p>Even in x509/fingerprint mode, both the client and sever
+certificate currently must be signed by the same root CA. This is an
+artifact of the underlying GnuTLS library and the way we use it. It is
+expected that we can resolve this issue in the future.</p>
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]
+</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>