[Pkg-nagios-devel] Bug#547092: Bug#547092: nagios-nrpe-server: Insecure 'SSL' option, key identical for all debian systems

[Christoph Anton Mitterer]

Hi Alexander.

On Mon, 2012-02-20 at 06:29 +0100, Alexander Wirt wrote:
> this breaks all existing nrpes
What do you mean by breaking NRPEs? 
The other Nagios NRPEs (that could be used on remote host sides) which
still use the fake SSL?

But even if it does... wouldn't that be better? That SSL is just
useless, so admins are better off with disabling it altogether.


> and icinga nrpe is not in a releasable state.
Just for my personal education :) ... what's the issue about it?


I mean the current situation is IMHO a bit concerning.
- Nagios upstream seems to have abandoned this issue.

- SSL is activated per default in Debian, which is useless anyway and in
the worst case gives a wrong feeling of security.

- Severity of this issue is "just" important, IMHO it should be grave
(http://www.debian.org/Bugs/Developer#severities), which would also
notify at least those using apt-listbugs.

- Of course one can argue that you cannot do much of an attack with
NRPE, but people may rely on SSL and think it safe because of it to
enable argument processing in NRPE


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20120220/7cda3cb5/attachment.bin>