search

syslog-ng / syslog-ng

syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, queueing, SQL & NoSQL.
https://www.syslog-ng.com
Other
2.07k stars 465 forks source link

Add macro for certificate fingerprint #4978

Open dseomn opened 1 month ago

dseomn commented 1 month ago

Description of the problem

I'd like to add metadata to logs from different clients based on which certificate they used to connect.

Proposed solution

Add a new ${.tls.x509} macro with the fingerprint of the certificate. Ideally something more secure than sha-1, see #4976.

For performance reasons, it might make sense to only add that if trusted-keys() is used. For security reasons, it probably makes sense to add that from the exact same calculation that's used to check trusted-keys().

Alternatives

I'm pretty sure I can use .tls.x509_cn since I control the certificates, instead of adding the metadata I want based on the fingerprint. But fingerprints are easier to work with, since I don't have to trust that the host that generated the certificate put the right thing in the CN field.

Additional context

None I can think of.

bazsi commented 3 weeks ago

I have implemented and lightly tested the implementation in the referenced PR.