From 68a2c3d512615f217d8c6454a679849083c80f00 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards
Date: Wed, 21 May 2008 14:59:24 +0200
Subject: implemented x509/certvalid "authentication"
---
doc/ns_gtls.html | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
(limited to 'doc')
diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html
index 46e2e238..46671f4a 100644
--- a/doc/ns_gtls.html
+++ b/doc/ns_gtls.html
@@ -24,6 +24,8 @@ described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
x509/fingerprint
- certificate fingerprint authentication as
described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
+x509/certvalid
+- certificate validation only
x509/name
- certificate validation and subject name authentication as
described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
@@ -31,8 +33,13 @@ described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
Note: "anon" does not permit to authenticate the remote peer. As such,
this mode is vulnerable to man in the middle attacks as well as
-unauthorized access. It is recommended NOT to use this mode.
-
+unauthorized access. It is recommended NOT to use this mode.
+x509/certvalid is a nonstandard mode. It validates the remote
+peers certificate, but does not check the subject name. This is
+weak authentication that may be useful in scenarios where multiple
+devices are deployed and it is sufficient proof of authenticy when
+their certificates are signed by the CA the server trusts. This is
+better than anon authentication, but still not recommended.
Known Problems
Even in x509/fingerprint mode, both the client and sever
certificate currently must be signed by the same root CA. This is an
@@ -48,4 +55,4 @@ Copyright
Gerhards and
Adiscon.
Released under the GNU GPL version 3 or higher.
-