[collectd] network plugin encryption appears broken on RHEL/CentOS 5 & 6?

Peter Kovac pjkovac at gmail.com
Mon Feb 13 16:52:53 CET 2012 

Greetings~

  I haven't submitted a bug report yet as I'm not sure if this is a problem
with my setup.  I would like to monitor the system performance of multiple
machines with a central collectd server.  I was very happy to see that
collectd supports encrypted network traffic.  I setup the network plugin
with encryption per the instructions on the collectd website.  When I start
collectd on the server, I see a normal startup.  When I start a client, I
see the following in /var/log/messages:

"collectd[PID]: Libgcrypt warning: missing initialization - please fix the
application"

  On the server, I see repeated entries reading:

"collectd[PID]: network plugin: Decrypting AES256 part failed with status
-1.
 collectd[PID]: network plugin: Decryption failed: Checksum mismatch."

  I've tried this on RHEL 6.2 & CentOS 5.7 using the collectd 4.10.3-1 RPMs
from the EPEL repos and a hand compiled version of collectd 5.0.2.  I tried
this with libgcrypt-1.4.4 on CentOS 5.7, libgcrypt-1.4.5 on RHEL 6.2, and I
hand compiled libgcrypt-1.5.0 (latest) for both.  All versions returned the
same result. Configurations for client & server at the bottom of the
messages.

  Documentation for gcrypt here:
http://gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html#Initializing-the-librarysays
that gcrypt must be initialized with "gcry_check_version" before it
can be used.  The AIDE bugtracker has some discussion about this same
issue:
http://sourceforge.net/tracker/?func=detail&aid=2763470&group_id=86976&atid=581579
.
I grep'd through the source but was unable to find such a line.  I did some
minimal testing to add such a function to network.c to see if I could force
an initialization but not knowing the source very well, I was unable to
find the spot in the control flow where this should go.  My understanding
from the gnupg documentation is that a gcry_version_check() call is
requried before any libgcrypt work is done and without delving deeper into
collectd's code, I don't know where that first call is made.  I'm hoping
someone with a deeper, current understanding of collectd either knows where
this should go or knows what mistake I've made to produce these errors.

#Client /etc/collectd.conf:
#-----------

LoadPlugin network
<Plugin network>
  <Server "192.168.1.2">
    SecurityLevel "Encrypt"
    Username "user0"
    Password "password0"
  </Server>
</Plugin>

#---------------
#Server /etc/collectd.conf:
#--------------

<Plugin network>
  <Listen "192.168.1.2">
    SecurityLevel "Encrypt"
    AuthFile "/etc/collectd_authfile.conf"
    Interface "eth0"
  </Listen>
</Plugin>

#----------------
#Server /etc/collectd_authfile.conf:
#----------------

user0: password0

#----------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20120213/2260fffc/attachment.html>

More information about the collectd mailing list