add documentation for mbedtls driver

Author: sadenot

source/concepts/netstrm_drvr.rst

@@ -19,3 +19,4 @@ Current Network Stream Drivers
    ns_ptcp
    ns_gtls
    ns_ossl
+   ns_mbedtls

source/concepts/ns_mbedtls.rst

@@ -0,0 +1,54 @@
+*****************************
+mbedtls Network Stream Driver
+*****************************
+
+===========================  ===========================================================================
+**Driver Name:**             **mbedtls**
+**Author:**                  Stéphane Adenot <[email protected]>
+**Available since:**
+===========================  ===========================================================================
+
+
+Purpose
+=======
+
+This network stream driver implements a TLS protected transport
+via the `MbedTLS library <https://www.trustedfirmware.org/projects/mbed-tls/>`_.
+
+
+Supported Driver Modes
+======================
+
+-  **0** - unencrypted transmission (just like `ptcp <ns_ptcp.html>`_ driver)
+-  **1** - TLS-protected operation
+
+.. note::
+
+   Mode 0 does not provide any benefit over the ptcp driver. This
+   mode exists for technical reasons, but should not be used. It may be
+   removed in the future.
+
+
+Supported Authentication Modes
+==============================
+
+-  **anon** - anonymous authentication as described in IETF's
+   draft-ietf-syslog-transport-tls-12 Internet draft
+
+-  **x509/certvalid** - certificate validation only. x509/certvalid is
+   a nonstandard mode. It validates the remote peers certificate, but
+   does not check the subject name. This is weak authentication that may
+   be useful in scenarios where multiple devices are deployed and it is
+   sufficient proof of authenticity when their certificates are signed by
+   the CA the server trusts. This is better than anon authentication, but
+   still not recommended. **Known Problems**
+
+-  **x509/name** - certificate validation and subject name authentication as
+   described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
+
+.. note::
+
+   "anon" does not permit to authenticate the remote peer. As such,
+   this mode is vulnerable to man in the middle attacks as well as
+   unauthorized access. It is recommended NOT to use this mode.
+   A certificate / key does not need to be configured in this authmode.

source/configuration/modules/omfwd.rst

@@ -86,7 +86,7 @@ Protocol
 Type of protocol to use for forwarding. Note that \`\`tcp'' means
 both legacy plain tcp syslog as well as RFC5425-based TLS-encrypted
 syslog. Which one is selected depends on the StreamDriver parameter.
-If StreamDriver is set to "ossl" or "gtls" it will use TLS-encrypted syslog.
+If StreamDriver is set to "ossl", "gtls" or "mbedtls", it will use TLS-encrypted syslog.
 
 
 NetworkNamespace
@@ -443,7 +443,7 @@ StreamDriver
    "word", "none", "no", "``$ActionSendStreamDriver``"
 
 Choose the stream driver to be used. Default is plain tcp, but
-you can also choose "ossl" or "gtls" for TLS encryption.
+you can also choose "ossl" "gtls" or "mbedtls" for TLS encryption.
 
 
 StreamDriverMode

source/rainerscript/global.rst

@@ -110,7 +110,7 @@ The following parameters can be set:
 
 - **defaultNetstreamDriver**
 
-  Set it to "ossl" or "gtls" to enable TLS.
+  Set it to "ossl", "gtls" or "mbedtls" to enable TLS.
   This `guide <http://www.rsyslog.com/doc/rsyslog_secure_tls.html>`_
   shows how to use TLS.