Hi. I've had trouble in the past trying to find a value for certmd5 that would be accepted by Monit. No matter what I tried, I always received an error stating that the hash was invalid.
My process for finding the certmd5 value is as follows: openssl s_client -connect server:port Copy the certificate openssl x509 -noout -fingerprint -md5 Paste the certificate Strip out the `:' and paste in to monitrc. Unfortunately, the hash generated by openssl is not accepted by Monit. That is to say, it is syntactically valid, but the hash is reported as being incorrect. I took a look at the code to try and see what was wrong. I've rewritten a small part of ssl.c to fix the problem. A diff against r351 is attached. This is just a hack to get it working and is by no means intended to be included as-is in the trunk. Feedback is always appreciated, thank you. -- Alex
Index: ssl.c
===================================================================
--- ssl.c (revision 351)
+++ ssl.c (working copy)
@@ -244,17 +244,19 @@
* @return TRUE, if sums do not match FALSE
*/
int check_ssl_md5sum(ssl_connection *ssl, char *md5sum) {
- unsigned int i = 0;
+ //unsigned int i = 0;
ASSERT(md5sum);
- while ((i < ssl->cert_md5_len) && (md5sum[2*i] != '\0') && (md5sum[2*i+1] != '\0')) {
+/* while ((i < ssl->cert_md5_len) && (md5sum[2*i] != '\0') && (md5sum[2*i+1] != '\0')) {
unsigned char c = (md5sum[2*i] > 57 ? md5sum[2*i] - 87 : md5sum[2*i] - 48) * 0x10+ (md5sum[2*i+1] > 57 ? md5sum[2*i+1] - 87 : md5sum[2*i+1] - 48);
if (c != ssl->cert_md5[i])
return FALSE;
i++;
}
- return TRUE;
+ return TRUE;*/
+
+ return (strcmp(md5sum, ssl->cert_md5) == 0);
}
@@ -937,6 +939,7 @@
*/
static int update_ssl_cert_data(ssl_connection *ssl) {
unsigned char md5[EVP_MAX_MD_SIZE];
+ int i, j = 0;
ASSERT(ssl);
@@ -950,7 +953,14 @@
ssl->cert_issuer = X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0, 0);
ssl->cert_subject = X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0, 0);
X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
- ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
+ //ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
+ ssl->cert_md5 = malloc((ssl->cert_md5_len * 2) + 1);
+ for(i = 0; i < ssl->cert_md5_len; i++)
+ {
+ snprintf(ssl->cert_md5 + j, 3, "%02x", md5[i]);
+ j += 2;
+ }
+ ssl->cert_md5[j] = 0;
#ifdef OPENSSL_FIPS
}
#endif
signature.asc
Description: PGP signature
_______________________________________________ monit-dev mailing list monit-dev@nongnu.org http://lists.nongnu.org/mailman/listinfo/monit-dev
