diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-21 11:45:40 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-21 11:45:40 +0200 |
| commit | 8cb6ec4cee79d41c30d7df38b58ab1f198ac8581 (patch) | |
| tree | 6350eab90656efdf98716c0520d6aa8a71f40dbd /doc/ns_gtls.html | |
| parent | 350f28efd97ff8f84fa0c86b5655e1cef8d4596e (diff) | |
| download | rsyslog-8cb6ec4cee79d41c30d7df38b58ab1f198ac8581.tar.gz rsyslog-8cb6ec4cee79d41c30d7df38b58ab1f198ac8581.tar.xz rsyslog-8cb6ec4cee79d41c30d7df38b58ab1f198ac8581.zip | |
added some forgotten doc
Diffstat (limited to 'doc/ns_gtls.html')
| -rw-r--r-- | doc/ns_gtls.html | 37 |
1 files changed, 26 insertions, 11 deletions
diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html index ff5ed7c3..46e2e238 100644 --- a/doc/ns_gtls.html +++ b/doc/ns_gtls.html @@ -11,21 +11,36 @@ library</a>.</p> <ul> <li>0 - unencrypted trasmission (just like <a href="ns_ptcp.html">ptcp</a> driver)</li> <li>1 - TLS-protected operation</li> -</ul>Note: mode 0 does not provide any benefit over the ptcp driver. -This mode exists for technical reasons, but should not be used. It may -be removed in the future.<br><span style="font-weight: bold;"> -Supported Authentication Modes</span><br> +</ul> +Note: mode 0 does not provide any benefit over the ptcp driver. This +mode exists for technical reasons, but should not be used. It may be +removed in the future.<br> +<span style="font-weight: bold;">Supported Authentication +Modes</span><br> <ul> -<li><span style="font-weight: bold;">anon</span> - anonymous authentication as +<li><span style="font-weight: bold;">anon</span> +- anonymous authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li> -<li><span style="font-weight: bold;">x509/fingerprint</span> - certificate fingerprint authentication as -described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li><li><span style="font-weight: bold;">x509/name</span> - certificate validation and subject name authentication as -described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft [NOT YET IMPLEMENTED]</li> -</ul>Note: "anon" does not permit to authenticate the remote peer. As -such, this mode is vulnerable to man in the middle attacks as well as +<li><span style="font-weight: bold;">x509/fingerprint</span> +- certificate fingerprint authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft</li> +<li><span style="font-weight: bold;">x509/name</span> +- certificate validation and subject name authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft +[NOT YET IMPLEMENTED]</li> +</ul> +Note: "anon" does not permit to authenticate the remote peer. As such, +this mode is vulnerable to man in the middle attacks as well as unauthorized access. It is recommended NOT to use this mode.<br> -[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] +<br> +<b>Known Problems</b><br> +<p>Even in x509/fingerprint mode, both the client and sever +certificate currently must be signed by the same root CA. This is an +artifact of the underlying GnuTLS library and the way we use it. It is +expected that we can resolve this issue in the future.</p> +<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>] +</p> <p><font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a> project.<br> |