Submiting patch for nrpe

[Mark Ferlatte]

Ethan Galstad said on Tue, Jan 20, 2004 at 11:45:26PM -0600:
> Hi Stephen -
> 
> The patch applied cleanly, but I might hold off on comitting it to 
> CVS.  The reason for this is I think the encryption should probably 
> be used on top of SSL, rather than instead of it.  I think one of the 
> big reasons for using SSL/TLS connections is the fact that its harder 
> to do "replay" attacks and fake check results.  If we go with crypto 
> on top of the TLS connection, I would probably look at brining back 
> optional support for the mcrypt() library, which handles a number of 
> crypto algorithms (including Blowfish).  Anyone have comments on this 
> approach?  I'm not an SSL/TLS/crypto expert by any means, so I might 
> be totally off-base. :-)

Sorry, I haven't been tracking nrpe/nsca development recently, but:

If you have SSL/TLS, you should use that for encryption also; it's part of the
protocol.

What you don't want to do is encrypt your datastream, and then send it through
a TLS connection.  You're just wasting cycles in that case.  TLS solves a lot
of security problems that most people don't think about; that's why it's a
complex protocol.  :)

I would _love_ it if nrpe and nsca used TLS and provided support for
certificate checking; it would simplify managing clusters of machines by quite
a bit, as I would have one less auth mechanism to worry about.

M
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20040121/371abc72/attachment.sig>