On Wed, 17 Apr 2024, Attila Lakatos via rsyslog wrote:
On Tue, Apr 16, 2024 at 1:17 PM Derek Atkins via rsyslog <
rsyslog@lists.adiscon.com> wrote:
Hi David,
On Tue, April 16, 2024 6:32 am, David Lang via rsyslog wrote:
> Is there any way to duplicate the existing functionality with openssl or
> gnutls
> libraries?
Without knowing what the current functionality actually is, I would answer
"yes". At least with OpenSSL (but also with GnuTLS) you have access to
all the low-level cryptographic methods, so you can go call AES and
SHA2-256 directly as you wish. So yes, you can use them as generic
cryptographic APIs.
Even though I don't have a strong crypto background, I agree here. It provides
ways to handle different algorithms and/or methods. The problematic part is to
make this compatible with the current libgcrypt implementation. For instance,
the gcry crypto provider supports various options for *cry.algo* and
*cry.mode* that you can or can't combine, whilst for openssl this could be
achieved by a single parameter DHE-RSA-AES256-GCM-SHA384 , etc. So the same
functionality could be achieved but it needs to be handled differently. I
think this is the same scenario as setting the *gnutlsPriorityString* option
in rsyslog- openssl/gnutls.
to be backwards compatible, the existing configs would need to keep working,
even if they are implemented differently under the covers.
So while you may be able to do it with a single parameter with a different
library, you still need to have a shim module that accepts the old parameters
and does the conversion to new parameters under the covers.
If it would break the existing configs, it means we can't remove the old
functionality, so instead of reducing maintainer effort, it would just add to
it.
David Lang
-derek
--
Derek Atkins 617-623-3745
de...@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
