Re: How to change monit SSL ciphers?

monit-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to change monit SSL ciphers?

From:	Jan-Henrik Haukeland
Subject:	Re: How to change monit SSL ciphers?
Date:	Tue, 28 Jan 2014 18:35:26 +0100

This commit should fix this. 
https://bitbucket.org/tildeslash/monit/commits/3785a80d100d1881fb4a8d86707b76f491d2dd0b

Please verify, by downloading latest, 
https://bitbucket.org/tildeslash/monit/get/master.tar.gz



On 28 Jan 2014, at 12:25, Freerk Ohling <address@hidden> wrote:

> Hi,
> 
> while updating from Monit 5.3.1 to the current Monit 5.6 I try to change the 
> CIPHER_LIST in src/ssl.c to something more secure. In order to test this with 
> something simple, I replaced the default "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" 
> with "RC4-SHA:AES256-SHA:AES128-SHA". With a "strings /usr/bin/monit | less" 
> I can see that the changed CIPHER_LIST actually ends up in the binary.
> 
> If I check the local IP on port 2812 with sslscan or a similar tool I always 
> get the same results, no matter if I test the old Monit 5.3.1 with the 
> default CIPHER_LIST, Monit 5.6 with the default CIPHER_LIST or 5.6 with the 
> modified CIPHER_LIST.:
> 
>     Accepted  SSLv3  256 bits  AES256-SHA
>     Accepted  SSLv3  256 bits  CAMELLIA256-SHA
>     Accepted  SSLv3  168 bits  DES-CBC3-SHA
>     Accepted  SSLv3  128 bits  AES128-SHA
>     Accepted  SSLv3  128 bits  SEED-SHA
>     Accepted  SSLv3  128 bits  CAMELLIA128-SHA
>     Accepted  SSLv3  128 bits  RC4-SHA
>     Accepted  SSLv3  128 bits  RC4-MD5
>     Accepted  SSLv3  56 bits   DES-CBC-SHA
> (and the same ciphers for TLSv1 as well)
> 
> Why does it accept the RC4-MD5 cipher? Even the default CIPHER_LIST contains 
> a "!MD5", so there should never be a cipher with MD5 hash used?
> 
> When I run the following on that same host I get a big list of 80 supported 
> ciphers in comparison on the Monit port 2812 I only get 18. And as expected 
> OpenSSL doesn't report a single MD5 cipher:
> openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
> 
> During testing for the available ciphers with sslscan I get many of this 
> entries in the monit.log:
> error    : monit: Openssl engine error: error:1408A0C1:SSL 
> routines:func(138):reason(193)
> 
> Running Monit with the changed CIPHER_LIST I get this message right after 
> startup in the log:
> error    : monit: Cannot initialize SSL server certificate handler -- 
> error:140A90A1:SSL routines:func(169):reason(161)
> 
> I run OpenSSL 1.0.1-4ubuntu5.10 on precise.
> 
> Any ideas what is wrong here? Did someone already successfully changed the 
> ciphers? Do you have the same results running sslscan on port 2812?
> 
> Thanks!
> 
> Freerk
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general

[Prev in Thread]

Current Thread

[Next in Thread]

How to change monit SSL ciphers?, Freerk Ohling, 2014/01/28
- Re: How to change monit SSL ciphers?, Jan-Henrik Haukeland <=
  - Re: How to change monit SSL ciphers?, Freerk Ohling, 2014/01/31

Prev by Date: How to change monit SSL ciphers?
Next by Date: Re: How to change monit SSL ciphers?
Previous by thread: How to change monit SSL ciphers?
Next by thread: Re: How to change monit SSL ciphers?
Index(es):
- Date
- Thread