[hobbit] Feature request: SSL/TLS client/server negotiation

Henrik Stoerner henrik at hswn.dk
Fri Oct 13 08:31:10 CEST 2006 

On Thu, Oct 12, 2006 at 04:00:41PM -0400, Schwimmer, Eric E *HS wrote:
> 
> The subject pretty much says it all :)  The top item on my hobbit wish
> list is to see some sort of client/server authentication & encryption.
> This will take care of three of my largest hobbit worries/problems:

I agree this would be a good thing. However, I am not sure that it
really solves the problems you refer to:


> 1.  Having to poke a hole in my hobbit server's firewall every time I
> add a new hobbit client.

You'd still need to open the firewall for your clients, whether you run
SSL or plain text across the wire. If you just open the firewall to
allow anyone to connect to the ssl-enabled hobbit daemon, then an
attacker may try to DoS the SSL service. And SSL protocol implementations 
have had security problems as well.


> 2.  The possibility that someone might compromise one machine running a
> hobbit client and use that machine to send false reports or DOS the
> hobbit server.

Someone with access to a machine with the Hobbit client could still run
the "bb" program and send in a status report.  Unless you protect the 
client-side certificate with a passphrase that is kept only in memory 
- i.e. you'll have to enter it on the console whenever the machine is 
rebooted or the Hobbit client is restarted - then an attacker will have 
access to the client certificate, and therefore he can send forged data 
to the Hobbit server.

The client certificate does provide authentication, though - so you know
what server the (forged) data originates from. And rogue clients - i.e.
anyone with a network connection to your Hobbit server - are kept out.


> 3.  Prevent tender bits of info (such as my log files) that would
> otherwise traverse the network unencrypted.

True.


> Of course, this would break a lot of existing scripts (devmon, bb-xsnmp,
> etc); perhaps it would be possible to have the secure server listen on a
> different port?

Perhaps. My ideas for implementing this have always been that this
would best fit into the bbproxy utility; so you would have bbproxy
handling the SSL-enabled connections from clients, then forwarding 
the data in plain text (via the loopback interface or a unix domain
socket that cannot be eavesdropped upon) to the Hobbit daemon. That
would avoid changing anything in the core daemon which I believe is
a good thing.


Regards,
Henrik

More information about the Xymon mailing list