[Help-gnutls] Re: [OT] a big thanks - GnuTLS now driving world's first syslog-transport-tls implementation

Simon Josefsson simon at josefsson.org
Wed May 28 18:43:33 CEST 2008

"Rainer Gerhards" <rgerhards at gmail.com> writes:

> Hi folks,
> I would like to say a big thank you! Thanks to your excellent help
> (and well-designed API), I have been able to complete the world's
> first implementation of ietf-syslog-transport-tls-12.

Cool!  I've added a link to rsyslog at:


> There is one thing dangling, and that is the callback I would like to
> have for certificate validation during the handshake. However, I will
> look into providing a patch if that turns out to become a real
> problem.

Thanks.  If other protocols turn out to use leap-of-faith
fingerprint-validation in the TLS handshake, we should provide a
callback for this.  However, there are some tricky issues here, and I'd
like to see this vetted by the IETF process somewhat more.  If nobody
believes that using TLS in this way is problematic, I guess we should
support that mode.

> Please note that I have chosen GnuTLS over NSS because of its much
> better documentation (at least for non-Netscape stand alone projects).
> What I did not know at the time I made the decision was the ultra-fast
> speed with which you provided support on the mailing list. This is an
> even better feature :)

Heh. :)

Btw, NSS is not widely ported to various embedded platforms (e.g.,
openwrt), and rsyslog with the TLS transport seems rather appropriate to
use on such devices.

> I know all of this is quite off-topic, but I thought it should still
> be said ;)

Thanks for your kind words, it helps when I need to find motivation for

> If you are interested, you may have a look at my implementation report:
> http://blog.gerhards.net/2008/05/syslog-transport-tls-12-implementation.html



More information about the Gnutls-help mailing list