On Mon, 4 Apr 2016, jonetsu wrote:
From: "David Lang" <[email protected]>
Date: 04/04/16 14:56
rsyslog just uses whatever gnutls does by default. It doesn't try to be fancy,
it just does a minimal wrapper around it's normal communications.
The background to this is the observance of the NSA NIAP requirements when
using secure remote syslogging, namely:
FIA_X509_EXT.1.1 The unit shall validate certificates in
accordance with the following rules:
RFC 5280 certificate validation and certificate path validation (eg. X.509)
The unit shall validate the extendedKeyUsage field according to
the following rules:
[...]
* Server certificates presented for TLS shall have the Server
Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in
the extendedKeyUsage field.
This prevents the use of any certificate.
well, does gnuTLS do this checking for all certs? If so, rsyslog does it, if
not, rsyslog doesn't go to the extra effort of doing the checking.
However, patches to implement additional features/checking in the encryption
layer would be welcome.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
