Re: [OT] a big thanks - GnuTLS now driving world's first syslog-transport-tls implementation

"Rainer Gerhards" <rgerhards <at> gmail.com> writes:

> Hi folks,
>
> I would like to say a big thank you! Thanks to your excellent help
> (and well-designed API), I have been able to complete the world's
> first implementation of ietf-syslog-transport-tls-12.

Cool!  I've added a link to rsyslog at:

http://www.gnu.org/software/gnutls/programs.html

> There is one thing dangling, and that is the callback I would like to
> have for certificate validation during the handshake. However, I will
> look into providing a patch if that turns out to become a real
> problem.

Thanks.  If other protocols turn out to use leap-of-faith
fingerprint-validation in the TLS handshake, we should provide a
callback for this.  However, there are some tricky issues here, and I'd
like to see this vetted by the IETF process somewhat more.  If nobody
believes that using TLS in this way is problematic, I guess we should
support that mode.

> Please note that I have chosen GnuTLS over NSS because of its much
> better documentation (at least for non-Netscape stand alone projects).
> What I did not know at the time I made the decision was the ultra-fast
> speed with which you provided support on the mailing list. This is an
> even better feature :)