tls.permittedPeer¶

Restricts accepted clients to the listed certificate fingerprints or wildcard names.

This parameter applies to imrelp: RELP Input Module.

Name:: tls.permittedPeer
Scope:: input
Type:: array
Default:: input=none
Required?:: no
Introduced:: Not documented

Description¶

The tls.permittedPeer setting places access restrictions on this listener. Only peers which have been listed in this parameter may connect. The certificate presented by the remote peer is used for its validation.

The peer parameter lists permitted certificate fingerprints. Note that it is an array parameter, so either a single or multiple fingerprints can be listed. When a non-permitted peer connects, the refusal is logged together with its fingerprint. So if the administrator knows this was a valid request, he can simply add the fingerprint by copy and paste from the logfile to rsyslog.conf.

To specify multiple fingerprints, just enclose them in braces like this:

tls.permittedPeer=["SHA1:...1", "SHA1:....2"]

To specify just a single peer, you can either specify the string directly or enclose it in braces. You may also use wildcards to match a larger number of permitted peers, e.g. *.example.com.

When using wildcards to match larger number of permitted peers, please know that the implementation is similar to Syslog RFC5425 which means: This wildcard matches any left-most DNS label in the server name. That is, the subject *.example.com matches the server names a.example.com and b.example.com, but does not match example.com or a.b.example.com.

Input usage¶

input(type="imrelp" port="2514"
     tls="on"
     tls.permittedPeer=["SHA1:0123456789ABCDEF0123456789ABCDEF01234567"])

tls.permittedPeer¶

Description¶

Input usage¶

See also¶