Daniel Gollub

In the PAM module there is a global variable task_id which get set by the method pam_sm_open_session: https://github.com/jeroennijhof/pam_tacplus/blob/master/pam_tacplus.c#L715 ... to a random value. Depending on the application using this PAM...

@KanagalakshmiGobiViswanathan , which SSH daemon implementation is used? I have doubt that openssh is used here.

There might be more adjustments on default knobs or additional configuration knobs to control the OCSP client behavior. One delicate item to decide on: should this be enabled by default...

@rgerhards , @alorbach , is there any trick to make Codacy happy with respect to the "unknown" SO_BINDTODEVICE value? I'm also puzzled about "Condition '!bio' is always false".

> enabled by default? what happens if you are unable to do the validation? If your PKI/CA is not using OCSP, there will be no online revocation validation at all....

> > @rgerhards , @alorbach , is there any trick to make Codacy happy with respect to the "unknown" SO_BINDTODEVICE value? > > adding some info: the root cause is...

> what about when you use a public CA, but your syslog server doesn't have access to the Internet? In that case it's questionable why a public CA is used?...

David, with the CT being common/mandatory for public CAs, I wonder how common it would be to setup a syslog server with a public CA issued certificate. OTOH: https://crt.sh/?q=syslog%25 https://crt.sh/?q=rsyslog%25...

I tried the trick @rgerhards suggested: ``` #ifndef SO_BINDTODEVICE #define SO_BINDTODEVICE 0 #endif ``` ... and that worked. Still wondering why that was not required for nsd_ptcp.c. The only left...

We need to error out, if SO_BINDTODEVICE is not available but a specific source-interface/device configured. We should fail rather using a "random" other interface/device. That would be also consistent with...