On Wed, Apr 16, 2014 at 7:47 PM, Lindblom, Brian R. <[email protected]>wrote:
> I'm sure the rsyslog devs are aware, but librelp-1.2.5-2 in the Adiscon > EPEL6 repository has certificate auth disabled for TLS since it expects > gnutls_certificate_verify_function to be present which doesn't show up > until gnutls 2.10.x. RHEL is gnutls 2.8. Verification is still possible > pre 2.10, just not via gnutls_certificate_set_verify_function. Does this > mean that I'm stuck with anonymous TLS unless I compile a new gnutls and > recompile rsyslog and deps? > > I could have also misread the situation :) > > Is this intended? Would a patch to enable this for pre-gnutls 2.10.x be > useful? > > Note that there is a subtle issue: in older versions, you need to *accept* the connection request, and can verify only after this happened. This causes issues with the retry logic, as it looks like the connection was successful (and only later terminated due to some temporary glitch). So a proper patch would need to change the API usage AS WELL AS provide an extension to the RELP protocol with something like STARTTLS, where the peers knowingly exachange certs etc and can provide a specific return state if the certs do not match. That's a prime reason why we insist on the new GnutTLS API, which does not have this issue. Rainer > Thanks, > > Brian R. Lindblom > HPC Systems Administrator > National Center for Computational Sciences > Oak Ridge National Laboratory > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
