> From: "David Lang" <[email protected]> > Date: 04/04/16 14:56
> rsyslog just uses whatever gnutls does by default. It doesn't try to be > fancy, > it just does a minimal wrapper around it's normal communications. The background to this is the observance of the NSA NIAP requirements when using secure remote syslogging, namely: FIA_X509_EXT.1.1 The unit shall validate certificates in accordance with the following rules: RFC 5280 certificate validation and certificate path validation (eg. X.509) The unit shall validate the extendedKeyUsage field according to the following rules: [...] * Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. This prevents the use of any certificate. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
