.. _param-imrelp-tls-permittedpeer:
.. _imrelp.parameter.input.tls-permittedpeer:

tls.permittedPeer
=================

.. index::
   single: imrelp; tls.permittedPeer
   single: tls.permittedPeer

.. summary-start

Restricts accepted clients to the listed certificate fingerprints or wildcard names.

.. summary-end

This parameter applies to :doc:`../../configuration/modules/imrelp`.

:Name: tls.permittedPeer
:Scope: input
:Type: array
:Default: input=none
:Required?: no
:Introduced: Not documented

Description
-----------
The ``tls.permittedPeer`` setting places access restrictions on this listener.
Only peers which have been listed in this parameter may connect. The certificate
presented by the remote peer is used for its validation.

The *peer* parameter lists permitted certificate fingerprints. Note that it is
an array parameter, so either a single or multiple fingerprints can be listed.
When a non-permitted peer connects, the refusal is logged together with its
fingerprint. So if the administrator knows this was a valid request, he can
simply add the fingerprint by copy and paste from the logfile to rsyslog.conf.

To specify multiple fingerprints, just enclose them in braces like this:

.. code-block:: none

   tls.permittedPeer=["SHA1:...1", "SHA1:....2"]

To specify just a single peer, you can either specify the string directly or
enclose it in braces. You may also use wildcards to match a larger number of
permitted peers, e.g. ``*.example.com``.

When using wildcards to match larger number of permitted peers, please know that
the implementation is similar to Syslog RFC5425 which means: This wildcard
matches any left-most DNS label in the server name. That is, the subject
``*.example.com`` matches the server names ``a.example.com`` and
``b.example.com``, but does not match ``example.com`` or ``a.b.example.com``.

Input usage
-----------
.. _param-imrelp-input-tls-permittedpeer-usage:
.. _imrelp.parameter.input.tls-permittedpeer-usage:

.. code-block:: rsyslog

   input(type="imrelp" port="2514"
        tls="on"
        tls.permittedPeer=["SHA1:0123456789ABCDEF0123456789ABCDEF01234567"])

See also
--------
See also :doc:`../../configuration/modules/imrelp`.
