diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2013-06-21 14:43:43 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2013-06-21 14:43:43 +0200 |
| commit | f5910620e8b112b6ae08a5807598e6b95c097bc8 (patch) | |
| tree | 195ab56f1289c74b0fe58626b1d866858ca8972c | |
| parent | 50a64d30d89b9f2310f6bcaa82ddcc2498c25c23 (diff) | |
| download | rsyslog-f5910620e8b112b6ae08a5807598e6b95c097bc8.tar.gz rsyslog-f5910620e8b112b6ae08a5807598e6b95c097bc8.tar.bz2 rsyslog-f5910620e8b112b6ae08a5807598e6b95c097bc8.zip | |
doc: document tls.authMode parameter
| -rw-r--r-- | doc/imrelp.html | 13 | ||||
| -rw-r--r-- | doc/omrelp.html | 13 |
2 files changed, 26 insertions, 0 deletions
diff --git a/doc/imrelp.html b/doc/imrelp.html index dfc1cadb..4419cf6d 100644 --- a/doc/imrelp.html +++ b/doc/imrelp.html @@ -76,6 +76,19 @@ in braces like this: <br>To specify just a single peer, you can either specify the string directly or enclose it in braces. </li> +<li><b>tls.authMode</b> mode</br> +Sets the mode used for mutual authentication. Supported values are +either "<i>fingerprint</i>" or "<i>name"</i>. +<br>Fingerprint mode basically is what SSH +does. It does not require a full PKI to be present, instead self-signed +certs can be used on all peers. Even if a CA certificate is given, the +validity of the peer cert is NOT verified against it. Only the +certificate fingerprint counts. +<br>In "name" mode, certificate validation happens. Here, the matching +is done against the certificate's subjectAltName and, as a fallback, +the subject common name. If the certificate contains multiple names, +a match on any one of these names is considered good and permits the +peer to talk to rsyslog. <li><b>tls.prioritystring</b> (not mandatory, string)<br> This parameter permits to specify the so-called "priority string" to GnuTLS. This string gives complete control over all crypto parameters, diff --git a/doc/omrelp.html b/doc/omrelp.html index ecf9d1c3..a4208355 100644 --- a/doc/omrelp.html +++ b/doc/omrelp.html @@ -68,6 +68,19 @@ must be used. <br>To specify just a single peer, you can either specify the string directly or enclose it in braces. </li> + <li><b>tls.authMode</b> mode</br> + Sets the mode used for mutual authentication. Supported values are + either "<i>fingerprint</i>" or "<i>name"</i>. + <br>Fingerprint mode basically is what SSH + does. It does not require a full PKI to be present, instead self-signed + certs can be used on all peers. Even if a CA certificate is given, the + validity of the peer cert is NOT verified against it. Only the + certificate fingerprint counts. + <br>In "name" mode, certificate validation happens. Here, the matching + is done against the certificate's subjectAltName and, as a fallback, + the subject common name. If the certificate contains multiple names, + a match on any one of these names is considered good and permits the + peer to talk to rsyslog. <li><b>tls.prioritystring</b> (not mandatory, string)<br> This parameter permits to specify the so-called "priority string" to GnuTLS. This string gives complete control over all crypto parameters, |