<div dir="ltr"><div>Dear Evan,</div><div><br></div><div>AFAIK when TLS is configured, syslog-ng behaves differently, depending on whether we are talking about a source or a destination.</div><div>A destination will perform subject CN checking to verify whether the server is who it claims to be.</div><div>In case of a source however no CN checking is performed, only the validity of the certificate and the certificate chain is checked, depending on the peer-verify() option.</div><div><br></div><div> Despite this, it is possible to define a list for the option trusted-dn() and/or trusted-keys() so that the source will only accept connections from clients with the specified certificate parameters (Distinguished Name - trusted-dn(), SHA-1 fingerprint - trusted-keys()).</div><div><br></div><div>Best Regards,</div><div>János<br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">--</div><div dir="ltr">Janos SZIGETVARI<br><span>RHCE, License no. <a href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692" target="_blank">150-053-692</a></span><br></div><div dir="ltr"><span><br></span></div><div dir="ltr"><span>LinkedIn: <a href="http://linkedin.com/in/janosszigetvari" target="_blank">linkedin.com/in/janosszigetvari</a></span><br>__@__˚V˚<br>Make the switch to open (source) applications, protocols, formats now:<br>- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice<br>- msn -> jabber protocol (Pidgin, Google Talk)<br>- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> ezt írta (időpont: 2020. máj. 29., P, 17:52):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">We are starting to explore laptop logging which means that I have to <br>
open up firewalls to public networks as the laptops are moved around. Is <br>
there a way to ensure that only computers configured by my organization <br>
are able to connect to or send logs to my log server?<br>
<br>
I looked at "Mutual authentication using TLS" but if I understand that <br>
correctly the client is required to have a IP/hostname that matches the <br>
CN of the certificate.<br>
<br>
I couldn't find other information but perhaps I am searching for the <br>
wrong terms.<br>
<br>
-- <br>
Evan<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>