In bringing up a remote hekad instance on untrusted networks, I'm looking into client certs and how to get authentication working.
Even creating the right type of cert w/ the correct extensions has been a challenge. I finally found some info on the necessary openssl invocations: https://github.com/coreos/etcd/issues/209#issuecomment-25945639 So with RequireAndVerifyClientCert, will hekad actually authenticate somehow or just check the validity of the client cert and that x509.ExtKeyUsageClientAuth is set in ExtKeyUsage[]? Is there something I'm missing about how it will actually restrict to a specific CN or can it require a shared intermediary? Also, how would one convey a CRL to hekad so as to clean up after any compromised private keys? Apologies if I've mis-used any of these terms, I'm pretty ignorant WRT to SSL/TLS. I know just enough to be dangerous.
_______________________________________________ Heka mailing list [email protected] https://mail.mozilla.org/listinfo/heka
