[stunnel-users] EXTERNAL: Re: Certificates

Bucci, David G david.g.bucci at lmco.com
Fri Sep 16 16:46:33 CEST 2011

J. Bern - just curious - is syslogging over stunnel less stable for some reason, or does it exacerbate the reliability problem mentoned in the manpage?  Iow, if you're satisfied with your syslog processing today, will layering in stunnel make anything worse?

Neither RELP nor gssapi auth provide encryption for syslog traffic, iirc ... if you're truly worried about snooping on syslog traffic, not sure how they would help. Seems to me they're orthogonal issues. No?

-----Original Message-----
From: stunnel-users-bounces at stunnel.org [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Jochen Bern
Sent: Friday, September 16, 2011 4:40 AM
To: Cary Corse
Cc: stunnel-users at stunnel.org
Subject: EXTERNAL: Re: [stunnel-users] Certificates

On 09/15/2011 04:09 PM, Cary Corse wrote:
> I'm trying to use stunnel to connect to a secure server for syslogging.
> I have a certificate from the central logging server.  How do I load
> this into stunnel so that I can connect?

Step 1: Learn as much as possible about the central server, the features
of its software, and whether switching to another software might be an
option. Here's a snippet from the rsyslog.conf manpage that you might
find interesting:

>        imrelp Input  plugin  for  the  RELP  protocol. RELP can be used
>               instead of UDP or plain TCP syslog  to  provide  reliable
>               delivery  of  syslog messages. Please note that plain TCP
>               syslog does NOT provide truly reliable delivery, with  it
>               messages  may  be lost when there is a connection problem
>               or the server shuts down.  RELP prevents message loss  in
>               those cases.  It can be used like this:
>               $ModLoad imrelp
>               $InputRELPServerRun 2514
>        imgssapi
>               Input plugin for plain TCP and GSS-enable syslog

(Note: I don't have manpages for syslogd, syslog-ng, or any other
implementations at my fingertips right now.)

Evaluate your needs in terms of reliability and authentication, and if
the chosen solution still needs encryption on top (and is TCP based with
persistent connections ...), add stunnel to it.

Kind regards,
								J. Bern
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
stunnel-users mailing list
stunnel-users at stunnel.org

More information about the stunnel-users mailing list