[Pkg-nagios-devel] Bug#545484: Bug#545484: nagios-plugins-basic: enable SSL certificate validity check by default

Thijs Kinkhorst thijs at uvt.nl
Wed Nov 18 17:16:21 UTC 2009 

Hi Jan,

> On Monday, 7. September 2009, Thijs Kinkhorst wrote:
> > A number of Nagios plugins include useful functionality when connecting
> >  over SSL: they check if the certificate is still valid and report a
> >  warning or error when it (soon) expires.

> > Attached is a patch that in the shipped configuration enables this useful
> > extra check.
>
> as I can understand, that this would be a usefull addition, I think we have
> a couple of disadvantages.
>
> * users which uses a certificate and don't care if its valid/expired (just
> want to encrypt the payload) maybe get nerved

In both situations, current and proposed, a group of people will want to opt 
to change it. My proposal is to change the default, not to force the checks 
upon them. In my view default on is better than default off in this case, 
because I presume that people using SSL in general *are* interested in having 
valid certificates (why are they using SSL then), and people explicitly 
wanting to turn it off are a relatively small group.

> * what ever we choose as days until the cert expires ... users may edit
> this anyways, as they want to set different values

That's true, but I think that people would prefer to be warned at a moment 
they'd rather finetune to a somewhat different moment, over not being warned 
at all.

Enabling it by default generates less work for most administrators, and 
proactively prevents service outage for those administrators that did not 
know about that check previously or forgot to set it.

> Adding more check seems also not an option, as we have so huge checks for
> stuff, but we can't provide command definitions for everything.

I agree with you on this one.


cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20091118/f9e693aa/attachment.pgp>

More information about the Pkg-nagios-devel mailing list