Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Ethan Galstad said on Tue, Jan 20, 2004 at 11:45:26PM -0600:
> Hi Stephen -
>=20
> The patch applied cleanly, but I might hold off on comitting it to=20
> CVS. The reason for this is I think the encryption should probably=20
> be used on top of SSL, rather than instead of it. I think one of the=20
> big reasons for using SSL/TLS connections is the fact that its harder=20
> to do "replay" attacks and fake check results. If we go with crypto=20
> on top of the TLS connection, I would probably look at brining back=20
> optional support for the mcrypt() library, which handles a number of=20
> crypto algorithms (including Blowfish). Anyone have comments on this=20
> approach? I'm not an SSL/TLS/crypto expert by any means, so I might=20
> be totally off-base.
Sorry, I haven't been tracking nrpe/nsca development recently, but:
If you have SSL/TLS, you should use that for encryption also; it's part of =
the
protocol.
What you don't want to do is encrypt your datastream, and then send it thro=
ugh
a TLS connection. You're just wasting cycles in that case. TLS solves a l=
ot
of security problems that most people don't think about; that's why it's a
complex protocol.
I would _love_ it if nrpe and nsca used TLS and provided support for
certificate checking; it would simplify managing clusters of machines by qu=
ite
a bit, as I would have one less auth mechanism to worry about.
M
--jq0ap7NbKX2Kqbes
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFADrZ3OtZWu2tc1lARAvM5AJ9yxBiT8a0YSXktoUkfnlJZoor1lgCfQJjR
CLXPRAZpqktfQ2+0FzGEVXU=
=g/R5
-----END PGP SIGNATURE-----
--jq0ap7NbKX2Kqbes--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]