summaryrefslogtreecommitdiffstats
path: root/debian/patches/07_warn_ssloption.patch
blob: a6f9686acc3c7bd4f14dfb800ade845e7db7dc41 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Description: Warn against inadequateness of NRPE's own SSL option.
Author: Thijs Kinkhorst <thijs@debian.org>
Forwarded: not-needed

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -91,14 +91,17 @@ Encryption
 ----------
 
 If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using:
-
-   1.  Stunnel (see http://www.stunnel.org for more info)
-   2.  Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
+make sure that you encrypt communications by using, for example,
+Stunnel (see http://www.stunnel.org for more info).
 
 Do **NOT** assume that just because the daemon is behind a firewall
 that you are safe! ***Always encrypt NRPE traffic!***
 
+NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and
+server, and uses pregenerated key material. NRPE's SSL option is
+advised against. For more information, see Debian bug #547092.
+
 
 Using Arguments
 ---------------