[Pkg-nagios-devel] Bug#547092: Bug#547092: nagios-nrpe-server: Insecure 'SSL' option, key identical for all debian systems

Sun Mar 18 10:49:12 UTC 2012

On 17.03.2012 17:33, Christoph Anton Mitterer wrote:
> On Mon, 2012-02-20 at 19:49 +0100, Michael Friedrich wrote:
>> <dev hat on>
>> the code was NOT useless. stop blaming the devs for that initial
>> implementation. do better than that - actually make it better.
>> <dev hat off>
> I just tried an compiled my own nrpe with different dh.h. From that one
> I used the plugin with the daemon version from SUSE.
> So that means plugin and daemon, each with a _DIFFERENT_ set of dh.h
> parameters communicate.
> And it worked just flawless, which is because anon DH is used, right?
>
> I'm not really sure what you expect from
> encryption/integrity/security/SSL but to my mind the above proves quite
> clearly that the way NRPE uses SSL right now is absolutely useless,
> unless you're looking for subtle ways to waste CPU power.
>
> You must understand that the current way is not even like "one shared
> secret"... it's just a unsecured (MiM-attackable) key agreement,... and
> only afterwards data is encrypted.
> Pointless.

so you are my teacher to tell me what to think? man, i am aware of the 
things which are wrong, but stop blaming everyone being badass and 
you're the hero of the world.
that behaviour makes your demands just pointless in regard of a valuable 
discussion. time will tell when things are to be fixed and whatnot.

>
>
>
>> <users hat on>
>> why do i have to upgrade my nsclient++ server which only supports the
>> old nrpe protocol? oh snap, nsclient++ dev refuses to implement
>> the new nrpe protocol with ssl certs. fuck, i can't upgrade to the
>> new version,
>> but i really really want to use e.g. ipv6 layer
>> <users hat off>
> That's a quite naive and stubborn way of thinking.

and? i am a user not wanting the underneath to be secure, but the 
upgrades need to run just fine.
>>
> In all doing respect,... I doubt you understand security...

you don't keep up any respect in this discussion. given that, i won't 
answer your private mail either. feel free to join the public 
discussions whenever you like, but my personal spare time won't be 
wasted by someone acting like you.

have a nice life,
michael

ps: fork your own nagios and make the world better.