diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-21 14:59:24 +0200 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-21 14:59:24 +0200 |
commit | 68a2c3d512615f217d8c6454a679849083c80f00 (patch) | |
tree | 599578a58a32ccf7dd986ede80e7cfd715eb87f8 /doc/ns_gtls.html | |
parent | 8cb6ec4cee79d41c30d7df38b58ab1f198ac8581 (diff) | |
download | rsyslog-68a2c3d512615f217d8c6454a679849083c80f00.tar.gz rsyslog-68a2c3d512615f217d8c6454a679849083c80f00.tar.xz rsyslog-68a2c3d512615f217d8c6454a679849083c80f00.zip |
implemented x509/certvalid "authentication"
Diffstat (limited to 'doc/ns_gtls.html')
-rw-r--r-- | doc/ns_gtls.html | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html index 46e2e238..46671f4a 100644 --- a/doc/ns_gtls.html +++ b/doc/ns_gtls.html @@ -24,6 +24,8 @@ described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li> <li><span style="font-weight: bold;">x509/fingerprint</span> - certificate fingerprint authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li> +<li><span style="font-weight: bold;">x509/certvalid</span> +- certificate validation only</li> <li><span style="font-weight: bold;">x509/name</span> - certificate validation and subject name authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft @@ -31,8 +33,13 @@ described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft </ul> Note: "anon" does not permit to authenticate the remote peer. As such, this mode is vulnerable to man in the middle attacks as well as -unauthorized access. It is recommended NOT to use this mode.<br> -<br> +unauthorized access. It is recommended NOT to use this mode.</p> +<p>x509/certvalid is a nonstandard mode. It validates the remote +peers certificate, but does not check the subject name. This is +weak authentication that may be useful in scenarios where multiple +devices are deployed and it is sufficient proof of authenticy when +their certificates are signed by the CA the server trusts. This is +better than anon authentication, but still not recommended. <b>Known Problems</b><br> <p>Even in x509/fingerprint mode, both the client and sever certificate currently must be signed by the same root CA. This is an @@ -48,4 +55,4 @@ Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL version 3 or higher.</font></p> -</body></html>
\ No newline at end of file +</body></html> |