nagios-nrpe/debian/patches/07_warn_ssloption.patch

29 lines
1.0 KiB
Diff
Raw Normal View History

2016-12-24 10:24:09 +01:00
Description: Warn against inadequateness of NRPE's own SSL option.
Author: Thijs Kinkhorst <thijs@debian.org>
Forwarded: not-needed
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -82,14 +82,17 @@ daemon should run as.
#### ENCRYPTION ####
If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using:
-
- 1. Stunnel (see http://www.stunnel.org for more info)
- 2. Native SSL support (See the `README.SSL.md` file for more info)
+make sure that you encrypt communications by using, for example,
+Stunnel (see http://www.stunnel.org for more info).
*Do NOT* assume that just because the daemon is behind a firewall
that you are safe! Always encrypt NRPE traffic!
+NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and
+server, and uses pregenerated key material. NRPE's SSL option is
+advised against. For more information, see Debian bug #547092.
+
#### USING ARGUMENTS ####