StreamDriver.PrioritizeSAN
Uses stricter SAN/CN matching for certificate validation.
This parameter applies to imtcp: TCP Syslog Input Module.
- Name:
StreamDriver.PrioritizeSAN
- Scope:
module, input
- Type:
boolean
- Default:
module=off, input=module parameter
- Required?:
no
- Introduced:
at least 5.x, possibly earlier
Description
Whether to use stricter SAN/CN matching. (driver-specific)
When set to “on”, if any SAN is found in the peer certificate, only the SAN is used for name validation and the CN is ignored (per RFC 6125). If the certificate contains no SAN entries at all, validation falls back to checking the CN — certificates are not rejected simply for lacking SANs.
This setting only affects name-checking auth modes (x509/name). It has no
effect when using x509/certvalid, which does not perform name matching.
The same-named input parameter can override this module setting.
Module usage
module(load="imtcp" streamDriver.prioritizeSAN="on")
Input usage
input(type="imtcp" port="514" streamDriver.prioritizeSAN="on")
See also
See also imtcp: TCP Syslog Input Module.
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.