Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Be aware that Salt, for reasons passing understanding, implemented their own encrypted channel (instead of TLS) as an alternative to using SSH, and suffered a grievous vulnerability as a result. I'm not saying don't use Salt (I don't know much about it), but I would recommend using SSH with it, and not its custom transport.


TLS is not possible over zeromq by design. There is work to build encryption directly into zeromq, but it isn't there

(Disclaimer: I used to contribute a lot of code to salt and still do when I have the time)


Why wouldn't it be possible to run zeromq over a TLS-encrypted TCP stream? It looks like people have already built that.


I had a look at how Ansible does 0mq encryption the other day, they do key exchange over SSH and then use keyczar to encrypt data over the socket, so that doesn't look too bad. I didn't look at the key exchange or review things in depth, but, assuming keyczar.Encrypt() does the right thing, it shouldn't be too bad.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: