StreamDriver.PrioritizeSAN

Uses stricter SAN/CN matching for certificate validation.

This parameter applies to imtcp: TCP Syslog Input Module.

Name:

StreamDriver.PrioritizeSAN

Scope:

module, input

Type:

boolean

Default:

module=off, input=module parameter

Required?:

no

Introduced:

at least 5.x, possibly earlier

Description

Whether to use stricter SAN/CN matching. (driver-specific)

When set to “on”, if any SAN is found in the peer certificate, only the SAN is used for name validation and the CN is ignored (per RFC 6125). If the certificate contains no SAN entries at all, validation falls back to checking the CN — certificates are not rejected simply for lacking SANs.

This setting only affects name-checking auth modes (x509/name). It has no effect when using x509/certvalid, which does not perform name matching.

The same-named input parameter can override this module setting.

Module usage

module(load="imtcp" streamDriver.prioritizeSAN="on")

Input usage

input(type="imtcp" port="514" streamDriver.prioritizeSAN="on")

See also

See also imtcp: TCP Syslog Input Module.

---

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.