Hi,
I'm OK with this proposal with two minor changes.
- rather than "(see below)" it should have "(see next paragraph)"
- remove parenthasis from "(with a bad certificate error)" as that text is
normative.
vv
If the hostname does not match the identity in the certificate,
clients SHOULD log the error in some form or another (see below),
and SHOULD terminate the connection (with a bad certificate error).
Clients MAY provide a configuration setting that disables this check
but MUST enable it by default.
The application developer must take some care to consider the case
when, for whatever reason, there is a problem with authenticating
the other end of the connection. Since this problem will
prevent log messages from being transmitted, each device having this
program should use whatever means are available to inform the
administrator of the problem. This may include producing an error code
on a console, returning an error to a user (if there is one), or
writing a file to disk, being mindful that such writes should be
rate limited in the case of attacks.
^^
Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog
