Thanks, that steers me in the right direction. Lots more reading but it was exactly what I was looking for.

Evan.

On 5/29/20 9:55 AM, SZIGETVÁRI János wrote:

Dear Evan,

AFAIK when TLS is configured, syslog-ng behaves differently, depending on whether we are talking about a source or a destination.
A destination will perform subject CN checking to verify whether the server is who it claims to be.
In case of a source however no CN checking is performed, only the validity of the certificate and the certificate chain is checked, depending on the peer-verify() option.

Despite this, it is possible to define a list for the option trusted-dn() and/or trusted-keys() so that the source will only accept connections from clients with the specified certificate parameters (Distinguished Name - trusted-dn(), SHA-1 fingerprint - trusted-keys()).

Best Regards,
János
--


Evan Rempel <erempel@uvic.ca> ezt írta (időpont: 2020. máj. 29., P, 17:52):
We are starting to explore laptop logging which means that I have to
open up firewalls to public networks as the laptops are moved around. Is
there a way to ensure that only computers configured by my organization
are able to connect to or send logs to my log server?

I looked at "Mutual authentication using TLS" but if I understand that
correctly the client is required to have a IP/hostname that matches the
CN of the certificate.

I couldn't find other information but perhaps I am searching for the
wrong terms.

--
Evan