Hi, The -09- revision copied text directly from rfc2818 without modifying it to match the simplex operating environment of syslog, as compared to the duplex operating environment of HTTP.
I think this makes the text confusing since it is unclear what a "user-oriented" syslog would be. HTTP is often used in a "user-oriented" environment, such as with a web browser, so the following makes sense: If the hostname does not match the identity in the certificate, user oriented clients MUST either notify the user (clients MAY give the user the opportunity to continue with the connection in any case) or terminate the connection with a bad certificate error. Automated clients MUST log the error to an appropriate audit log (if available) and SHOULD terminate the connection (with a bad certificate error). Automated clients MAY provide a configuration setting that disables this check, but MUST provide a setting which enables it. The syslog-tls text was changed from rfc2818 because the "user oriented" text of rfc2818 does not seem to make protocol sense for the simplex syslog, where you cannot "notify the user", so most of the first sentence was eliminated from the syslog draft. If the hostname (or IP address) does not match the identity in the certificate, the clients MUST terminate the connection with a bad certificate error. Clients MAY log the error to an appropriate audit log (if available) and SHOULD terminate the connection (with a bad certificate error). The "user-oriented" and "automated client" conditionals were removed, and the user-oriented action was changed from "MUST notify or terminate" to simply "MUST terminate". The removal of the conditionals makes the actions unconditional. But the unconditional "MUST terminate" in the first sentence conflicts with the unconditional "SHOULD terminate" in the second sentence. I recommend the following text which is consistent with the automated client case in rfc2818: If the hostname (or IP address) does not match the identity in the certificate, the client MUST log the error to an appropriate audit log (if available) and SHOULD terminate the connection (with a bad certificate error). (Note that changing "MAY log the error" (syslog-tls-08) , to "MUST log the error" (rfc2818), makes little difference since there is an "if available" clause.) David Harrington [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
