Hi Everybody,
My Name is David and i'm student of Computer Science in Regensburg. I
studied now long enough and everthing has it's end, so i'm currently writing
my diploma thesis. A big part of this, is to get my hands dirty on shinken.
That's the reason why im here to say Hi to everybody, and if you need some
helping hand, just ask.
To get started with the inner working of shinken, i started to implement SSL
support for it, in the stable tree. Big fault! As i wanted to port my
changes to the master branch, i saw that's too late, you guys were faster.
So anyway that's cool, but i have some question and ideas that i want to
share with this regard.
1.) Pyro ssl support is a bit strange:
- Client authentication use the same cert as the server mode does. Is
this a security risk? Don't know, i'm not that of security guy. (I'm
thinking about exchanging client/server connection... But i thing replay
protecting handles this)
- But much more important self.ctx.set_allow_unknown_ca in
Pyro/protocol.py that's a security problem, this allow's man in the middle
attacks, etc.
2.) Do we really need client authentication, for every component? For the
arbiter, sure we need it - else we get a botnet like system. But the other
components?
Reactoner and broker, need to authenticate too, else the "bad guys"
could get secret data (all theoretical)
3.) What about self-signed keys? We could add know_hosts and
autheriezed_keys infrastructure instead of the CA handling. I have sample
code for this,
but this needs a callback infrastucure in pyro (set_verify callback
interface). Is it worth it?
4.) We could implement the seperation of public and private keys:
PYROSSL_KEY
Point one is very important and need checking.
I also recommend that we don't ship certs with the tarball, but generate
them at install time.
Greetings
David
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shinken-devel mailing list
Shinken-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shinken-devel
