<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Thanks, that steers me in the right
direction. Lots more reading but it was exactly what I was looking
for.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Evan.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 5/29/20 9:55 AM, SZIGETVÁRI János
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJK_Yh8ZDVtm6=FWDy7JqfKHAF+6DfMsh3nC6CrZCzCDqZ1Hfg@mail.gmail.com"><br>
<div>
<div dir="ltr">
<div>Dear Evan,</div>
<div><br>
</div>
<div>AFAIK when TLS is configured, syslog-ng behaves
differently, depending on whether we are talking about a
source or a destination.</div>
<div>A destination will perform subject CN checking to verify
whether the server is who it claims to be.</div>
<div>In case of a source however no CN checking is performed,
only the validity of the certificate and the certificate
chain is checked, depending on the peer-verify() option.</div>
<div><br>
</div>
<div>Despite this, it is possible to define a list for the
option trusted-dn() and/or trusted-keys() so that the source
will only accept connections from clients with the specified
certificate parameters (Distinguished Name - trusted-dn(),
SHA-1 fingerprint - trusted-keys()).</div>
<div><br>
</div>
<div>Best Regards,</div>
<div>János<br>
</div>
<div>
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">--</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Evan Rempel <<a
href="mailto:erempel@uvic.ca" moz-do-not-send="true">erempel@uvic.ca</a>>
ezt írta (időpont: 2020. máj. 29., P, 17:52):<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
We are starting to explore laptop logging which means that I
have to <br>
open up firewalls to public networks as the laptops are
moved around. Is <br>
there a way to ensure that only computers configured by my
organization <br>
are able to connect to or send logs to my log server?<br>
<br>
I looked at "Mutual authentication using TLS" but if I
understand that <br>
correctly the client is required to have a IP/hostname that
matches the <br>
CN of the certificate.<br>
<br>
I couldn't find other information but perhaps I am searching
for the <br>
wrong terms.<br>
<br>
-- <br>
Evan</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>