TLS.AuthMode

Chooses the mutual authentication mode (fingerprint or name) for TLS.

This parameter applies to omrelp: RELP Output Module.

Name:

TLS.AuthMode

Scope:

input

Type:

string

Default:

input=none

Required?:

no

Introduced:

at least 7.0.0, possibly earlier

Description

Sets the mode used for mutual authentication. Supported values are either “fingerprint” or “name”. Fingerprint mode basically is what SSH does. It does not require a full PKI to be present, instead self-signed certs can be used on all peers. Even if a CA certificate is given, the validity of the peer cert is NOT verified against it. Only the certificate fingerprint counts.

In “name” mode, certificate validation happens. Here, the matching is done against the certificate’s subjectAltName and, as a fallback, the subject common name. If the certificate contains multiple names, a match on any one of these names is considered good and permits the peer to talk to rsyslog.

The permitted names or fingerprints are configured via TLS.PermittedPeer.

Input usage

action(type="omrelp" target="centralserv" tls.authMode="fingerprint")

See also

See also omrelp: RELP Output Module.

---

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.