Hi,
On 08/14/2018 03:07 PM, Stephan Seitz wrote:
But this doesn't work. The server is requesting a client certificate.
Okay, the client has one for its web server, but it seems I have to
configure TLS.permittedpeer for the server as well.
This means:
- Every client needs a certificate which is simply not the case, and
with hundreds of VMs no one is going to do this work. And these
available certificates are only permitted for server uses, not for
client authentication.
I haven't checked, but it could be that these certificate extensions
aren't used by librelp, in which case this might be your solution.
- Every client has to be part of TLS.permittedpeer (okay, maybe I can
use *.domain here).
*.domain should work
In the end I want to have a client server configuration like you have
for a web server. The client checks the server certificate, but no
client certificate is needed. Is this possible?
I believe with imrelp (technically: librelp) what you're describing is
not possible. This is also mentioned in an issue on github:
https://github.com/rsyslog/rsyslog/issues/435#issuecomment-326820750
If encryption is more important than reliability, I suppose an
alternative is using imtcp with a suitable netstream driver, like in
https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html.
regards,
Lennard Klein
This email is from Equinix (EMEA) B.V. or one of its associated companies in
the territory from where this email has been sent. This email, and any files
transmitted with it, contains information which is confidential, is solely for
the use of the intended recipient and may be legally privileged. If you have
received this email in error, please notify the sender and delete this email
immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA
Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
