Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Stephen Strudwick said on Wed, Jan 21, 2004 at 06:01:21PM +0000:
> I dont see cpu cycles really being a problem, certainly not server
> side, possibly it could add up a bit client side where nagios is
> installed. But its just a handshake and exchange of 1k packets every 5
> mins per server.
=20
Your servers are beefier than mine (or you have way fewer clients).
> I wouldnt have thought it was wasted cpu cycles either, you would be
> adding an extra layer of security, but more importantly providing some
> kind of authentication lacking atm because of no certificates.
=20
Double-encrypting isn't really an extra-layer; there are some theoretical
attacks that suggest that double encryption can be harmful. No idea if it =
is
in the this particular case; however, just using OpenSSL or GnuTLS to do bo=
th
client/server authentication, and data encryption is the easiest solution.
> Anyway, im no expert on SSL/TLS, but im trying when I have spare moments
> to read as much as possible, if im wrong, try to point me in the right
> direction as to why.
=20
I think it's just more work to do both; if you are going to implement TLS, =
then
you don't need seperate blowfish.
> For me the problem atm is the lack of certificates. I would have preferred
> this approach, but I dont know enough about SSL/TLS and I didnt have the
> time to learn/experiment and implement.
>=20
> I went with blowfish because I knew I could get something
> secure, reliable and already fully tested working in a few days.
Fair enough. I don't mean to suggest that your patch isn't useful.
=46rom an admin perspective, though, the fewer distinct security mechanisms=
I
have to deal with and worry about, the better. TLS is a well known mechani=
sm
that is well understood, and there are good libraries that are well tested.
(There's a bit of a license issue with OpenSSL and GPL'd code that could be=
a
problem, but I think it just requires Ethan to put a note in the license fi=
le
saying "This is under the GPL, but you can link to OpenSSL also if you want=
.").
Okay, that's enough out of me, since I don't have a TLS patch to submit.
M
--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFADwXBOtZWu2tc1lARArBoAKCEOyWYWhi/fYlYrQJtA2P7Vv5QTwCeP47y
85LOz3b7wJ1DU79VM0tt3+c=
=7XSI
-----END PGP SIGNATURE-----
--mYCpIKhGyMATD0i+--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]