Ndo 1.4b7 patch : SSL connections

nap naparuba at gmail.com
Thu Nov 6 15:35:34 CET 2008


In compile it on my prod and I see theses errors:
*#include "../include/io.h" to remove in io.c (begining)
*-I/usr/include/openssl to add to all objects (maybe the common file
is not a good place to put the load of SSL.h).

I put the patch in production, I'll see the impact of SSL.


Jean

On Thu, Nov 6, 2008 at 2:36 PM, nap <naparuba at gmail.com> wrote:
> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik Bäcker <andurin at process-zero.de> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> nap schrieb:
>>> Hi List,
>>>
>>>
>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>> connection. The code come from nrpe. I think this can be useful
>>> with distributed Nagios, the communications between the secondary
>>> nagios and ndo2db are in plaintext and we can see the name of the
>>> host in it.
>>>
>> Nice thing.
>>> The patch just apply the SSL connection to the sock of the
>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>> don't think it is useful for unix socket...).
>> I guess it becomes very useful for the situation of "outside-my-lan"
>> nagios servers with "internal" db hosts.
> Even in the LAN, it's easy to make a man in the middle attack with
> ARP. And my security responsable do not want plaintext. Now He is
> happy and allow me to put distribuated nagios in production :)
>
>> But do you have ideas about the performance situation?
>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>
>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>> generated by ./configure but I don't know how to modified it. The
>>> Makefile need the ssl lib too, but I don't know how to modify the
>>> autoconf (I leave a Makefile.new in the patch to show what to
>>> modify), if someone can help me on this ;)
>> I will have a look at it.
> Thanks.
>
>>>
>>> For the moment the patch apply the SSL for all connections, but
>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>> ndomod.conf.
>>>
>> That would be the best way.
> Ok, I'll see how to change it.
>
>>> I test with a small server and 4000 services and I don't see any
>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>  small.
>>>
>> mkay... drop my above question ;)
> I test on my small dev server (virtual machine...), I'll put in onto
> my production server (6000 services) and see if the trafic of lo (ndo
> connexion in tcp localhost) is high or the load average reach the top
> :)
>
>
>>
>> Nice thing, I am on your side for testing and helping hands.
> Thanks again :)
>
>> Hendrik
> Gabès Jean
>
>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (MingW32)
>>
>> iD8DBQFJEu/9lI0PwfxLQjkRAkUsAJ0T4PmN5cmtJjQ+SuDr6PEEXhzzswCZAQDx
>> h/Zbezr0h0P0ujl4yPJxZ1E=
>> =3D9L
>> -----END PGP SIGNATURE-----
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Nagios-devel mailing list
>> Nagios-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nagios-devel
>>
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list