Mailing List Archive

Why does the rsyslog server need a root certificate (CAFile)?
Hey,
in the documentation [1] on setting tls for rsyslog the server example
has a section:

# certificate files
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
$DefaultNetstreamDriverCertFile /path/to/contrib/gnutls/cert.pem
$DefaultNetstreamDriverKeyFile /path/to/contrib/gnutls/key.pem

Why would a serve (which is the receiving end for log events) need to to know
what certificate signatures it trusts?

The only thing that comes to mind is to be able to reject logs from machines
that haven't been signed by the CA...

Be Well,
Alan

[1] https://github.com/rsyslog/rsyslog-doc/blob/v8-stable/source/tutorials/tls.rst
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Why does the rsyslog server need a root certificate (CAFile)? [ In reply to ]
On Thu, Jan 17, 2019 at 6:41 AM Alan Martinovic
<alan.martinovic@senic.com> wrote:
> Why would a serve (which is the receiving end for log events) need to to know
> what certificate signatures it trusts?

The configuration is not necessarily to configure what signatures it
trusts. Presenting the CA chain of authority is part of the TLS
handshake protocol.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.