Submiting patch for nrpe

Mark Ferlatte ferlatte at cryptio.net
Thu Jan 22 00:05:37 CET 2004

Previous message: Multi platform crypto options for Nag et al Was: Submiting patch for nrpe
Next message: Submiting patch for nrpe
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephen Strudwick said on Wed, Jan 21, 2004 at 06:01:21PM +0000:
> I dont see cpu cycles really being a problem, certainly not server
> side, possibly it could add up a bit client side where nagios is
> installed. But its just a handshake and exchange of 1k packets every 5
> mins per server.
 
Your servers are beefier than mine (or you have way fewer clients).  :)

> I wouldnt have thought it was wasted cpu cycles either, you would be
> adding an extra layer of security, but more importantly providing some
> kind of authentication lacking atm because of no certificates.
 
Double-encrypting isn't really an extra-layer; there are some theoretical
attacks that suggest that double encryption can be harmful.  No idea if it is
in the this particular case; however, just using OpenSSL or GnuTLS to do both
client/server authentication, and data encryption is the easiest solution.

> Anyway, im no expert on SSL/TLS, but im trying when I have spare moments
> to read as much as possible, if im wrong, try to point me in the right
> direction as to why.
 
I think it's just more work to do both; if you are going to implement TLS, then
you don't need seperate blowfish.

> For me the problem atm is the lack of certificates. I would have preferred
> this approach, but I dont know enough about SSL/TLS and I didnt have the
> time to learn/experiment and implement.
> 
> I went with blowfish because I knew I could get something
> secure, reliable and already fully tested working in a few days.

Fair enough.  I don't mean to suggest that your patch isn't useful.

From an admin perspective, though, the fewer distinct security mechanisms I
have to deal with and worry about, the better.  TLS is a well known mechanism
that is well understood, and there are good libraries that are well tested.

(There's a bit of a license issue with OpenSSL and GPL'd code that could be a
problem, but I think it just requires Ethan to put a note in the license file
saying "This is under the GPL, but you can link to OpenSSL also if you want.").

Okay, that's enough out of me, since I don't have a TLS patch to submit.  :)

M
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20040121/cf26b796/attachment.sig>

Previous message: Multi platform crypto options for Nag et al Was: Submiting patch for nrpe
Next message: Submiting patch for nrpe
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list