[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to change monit SSL ciphers?
From: |
Jan-Henrik Haukeland |
Subject: |
Re: How to change monit SSL ciphers? |
Date: |
Tue, 28 Jan 2014 18:35:26 +0100 |
This commit should fix this.
https://bitbucket.org/tildeslash/monit/commits/3785a80d100d1881fb4a8d86707b76f491d2dd0b
Please verify, by downloading latest,
https://bitbucket.org/tildeslash/monit/get/master.tar.gz
On 28 Jan 2014, at 12:25, Freerk Ohling <address@hidden> wrote:
> Hi,
>
> while updating from Monit 5.3.1 to the current Monit 5.6 I try to change the
> CIPHER_LIST in src/ssl.c to something more secure. In order to test this with
> something simple, I replaced the default "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
> with "RC4-SHA:AES256-SHA:AES128-SHA". With a "strings /usr/bin/monit | less"
> I can see that the changed CIPHER_LIST actually ends up in the binary.
>
> If I check the local IP on port 2812 with sslscan or a similar tool I always
> get the same results, no matter if I test the old Monit 5.3.1 with the
> default CIPHER_LIST, Monit 5.6 with the default CIPHER_LIST or 5.6 with the
> modified CIPHER_LIST.:
>
> Accepted SSLv3 256 bits AES256-SHA
> Accepted SSLv3 256 bits CAMELLIA256-SHA
> Accepted SSLv3 168 bits DES-CBC3-SHA
> Accepted SSLv3 128 bits AES128-SHA
> Accepted SSLv3 128 bits SEED-SHA
> Accepted SSLv3 128 bits CAMELLIA128-SHA
> Accepted SSLv3 128 bits RC4-SHA
> Accepted SSLv3 128 bits RC4-MD5
> Accepted SSLv3 56 bits DES-CBC-SHA
> (and the same ciphers for TLSv1 as well)
>
> Why does it accept the RC4-MD5 cipher? Even the default CIPHER_LIST contains
> a "!MD5", so there should never be a cipher with MD5 hash used?
>
> When I run the following on that same host I get a big list of 80 supported
> ciphers in comparison on the Monit port 2812 I only get 18. And as expected
> OpenSSL doesn't report a single MD5 cipher:
> openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
>
> During testing for the available ciphers with sslscan I get many of this
> entries in the monit.log:
> error : monit: Openssl engine error: error:1408A0C1:SSL
> routines:func(138):reason(193)
>
> Running Monit with the changed CIPHER_LIST I get this message right after
> startup in the log:
> error : monit: Cannot initialize SSL server certificate handler --
> error:140A90A1:SSL routines:func(169):reason(161)
>
> I run OpenSSL 1.0.1-4ubuntu5.10 on precise.
>
> Any ideas what is wrong here? Did someone already successfully changed the
> ciphers? Do you have the same results running sslscan on port 2812?
>
> Thanks!
>
> Freerk
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general