Description
Description of the problem
Currently TLS-enabled sources only conduct a limited number of checks on the certificates presented by connecting hosts that initiate TLS connections.
The validity of the certificate and the certificate chain is checked depending on the peer-verify() option, but it is not checked whether the certificate presented actually corresponds to the client or not.
Let us imagine a situation where:
Both clientA and clientB are hosts on the LAN and can send logs to the syslog server-ng over TLS. This means that they both have valid certificates issued by the same CA, that the syslog-ng trusts.
In a situation when clientB connects to the syslog-ng server using clientA's certificate (and private key), the syslog-ng server would allow clientB to connect, as it has a valid certificate, and the chain of trust also checks out. This can happen with peer-verify(required/trusted) too, as that setting doesn't imply checking whether the certificate actually belongs to the host presenting it.
In case of TLS-enabled destinations however (at least AFAIK), such checks are in place, so clients always verify whether the server is who it claims to be.
Proposed solution
Syslog-ng should add similar checks to sources as well, where it is checked whether the other communicating party is exactly who the certificate it presents was issued to.
This behavior however should be optional, and should be turned off by default to preserve configuration compatibility with older versions.
So in other words a new TLS option should be introduced that toggles this behavior.