[syslog-ng] SSL certificate verification

[Peter Eckel]

Hi Baszi, 

> I'm not sure I followed you correctly, but the syslog-ng server has no
> information about the client name, only its IP address, which usually
> doesn't match anything in the X.509 certificate. (although I know that a
> subjectAltName can be specified with type iPADDr),

that would be one option I had in mind. The other one would be to reverse-lookup the host name and try to match the result against the CN. 

> but that's usually missing.

Since I create the certificates myself and control all the hosts logging to the central server, I could easily include the IP as well as some alternative form of host name (FQDN vs. simple).

> You could use the trusted_dn() option to specify which client DNs a given server accepts, but that could mean that you need separate ports for each client.

You're right, that's not an option. 

> What do you expect syslog-ng to behave in this case?

As you already suggested: 

- try to lookup the host name and match the result against the CN or some subjectAltName
- try to match the IP against some subjectAltName 
- fail if the client cannot provide any certificate proving his identity.

I just did some tests aiming to prove that stunnel does it exactly like that ... unfortunately this wasn't possible, as stunnel obviously follows the same logic Syslog NG does, and so I didn't prove anything except that my own assumption was wrong. But I still think it would be feasible and a very useful functionality, too. 

Thank you very much and best regards, 

  Peter.