From 68a2c3d512615f217d8c6454a679849083c80f00 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 21 May 2008 14:59:24 +0200 Subject: implemented x509/certvalid "authentication" --- doc/ns_gtls.html | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html index 46e2e238..46671f4a 100644 --- a/doc/ns_gtls.html +++ b/doc/ns_gtls.html @@ -24,6 +24,8 @@ described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
  • x509/fingerprint - certificate fingerprint authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
    • +
  • x509/certvalid +- certificate validation only
  • x509/name - certificate validation and subject name authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft @@ -31,8 +33,13 @@ described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft Note: "anon" does not permit to authenticate the remote peer. As such, this mode is vulnerable to man in the middle attacks as well as -unauthorized access. It is recommended NOT to use this mode.
    -
    +unauthorized access. It is recommended NOT to use this mode.

    +

    x509/certvalid is a nonstandard mode. It validates the remote +peers certificate, but does not check the subject name. This is +weak authentication that may be useful in scenarios where multiple +devices are deployed and it is sufficient proof of authenticy when +their certificates are signed by the CA the server trusts. This is +better than anon authentication, but still not recommended. Known Problems

    Even in x509/fingerprint mode, both the client and sever certificate currently must be signed by the same root CA. This is an @@ -48,4 +55,4 @@ Copyright Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.

    - \ No newline at end of file + -- cgit