Nagios NRPE does not have any usage of x509 certificates. The TLS code is broken by design and never has been secure. This is known for years.
Only thing the tool does is to initiate a "crypted" connection based on a on compile time generated DH key, no verification whatsoever. This is a major upstream design flaw and can't be fixed just with a patch. There is a long discussion on the Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547092 ** Bug watch added: Debian Bug tracker #547092 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547092 ** Changed in: nagios-nrpe (Ubuntu) Status: New => Opinion -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1380229 Title: Potential Vulnerability for X509 Certificate Verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1380229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
