My Name is David and i'm student of Computer Science in Regensburg. I studied now long enough and everthing has it's end, so i'm currently writing my diploma thesis. A big part of this, is to get my hands dirty on shinken. That's the reason why im here to say Hi to everybody, and if you need some helping hand, just ask.
To get started with the inner working of shinken, i started to implement SSL support for it, in the stable tree. Big fault! As i wanted to port my changes to the master branch, i saw that's too late, you guys were faster.
So anyway that's cool, but i have some question and ideas that i want to share with this regard.
1.) Pyro ssl support is a bit strange:
- Client authentication use the same cert as the server mode does. Is this a security risk? Don't know, i'm not that of security guy. (I'm thinking about exchanging client/server connection... But i thing replay protecting handles this)
- But much more important self.ctx.set_allow_unknown_ca in Pyro/protocol.py that's a security problem, this allow's man in the middle attacks, etc.
2.) Do we really need client authentication, for every component? For the arbiter, sure we need it - else we get a botnet like system. But the other components?
Reactoner and broker, need to authenticate too, else the "bad guys" could get secret data (all theoretical)
3.) What about self-signed keys? We could add know_hosts and autheriezed_keys infrastructure instead of the CA handling. I have sample code for this,
but this needs a callback infrastucure in pyro (set_verify callback interface). Is it worth it?
4.) We could implement the seperation of public and private keys: PYROSSL_KEY
Point one is very important and need checking.
I also recommend that we don't ship certs with the tarball, but generate them at install time.