With this config:
set httpd port 2812
allow localhost
SSL ENABLE
PEMFILE /etc/certs/monit.pem
CLIENTPEMFILE /etc/certs/monit-client.pem
I got:
# monit status
monit: cannot read status from the monit daemon
And at monit.log:
[EET Dec 28 15:01:56] error : monit: The client did not supply a
required client certificate!
[EET Dec 28 15:01:56] error : monit: cannot read status from the
monit daemon
I expect to get working status.
I have attached patch to fix this situation. Use clientpemfile for
status connection too it is set.
Patch adds clientpemfile to Ssl_T and then fill it when initializing
status socket. Same idea as at sendmail open_server. And then it
tries to free memory whenever we free certmd5.
Patch is lightly tested.
V1 -> V2
- handle monitor command too
--
Markus Linnala, Chief Systems Architect
Cybercom Finland
Pakkahuoneenaukio 2 A; 33100 Tampere
Mobile +358 40 5919 735
markus.linn...@cybercom.com
www.cybercom.fi | www.cybercom.com
diff -ur monit-5.3.2/src/gc.c monit-5.3.2-maage-ssl/src/gc.c
--- monit-5.3.2/src/gc.c 2011-12-20 22:40:30.000000000 +0200
+++ monit-5.3.2-maage-ssl/src/gc.c 2011-12-28 16:20:03.000000000 +0200
@@ -358,6 +358,7 @@
FREE((*s)->username);
FREE((*s)->password);
FREE((*s)->ssl.certmd5);
+ FREE((*s)->ssl.clientpemfile);
FREE(*s);
}
@@ -403,6 +404,7 @@
FREE((*p)->hostname);
FREE((*p)->pathname);
FREE((*p)->SSL.certmd5);
+ FREE((*p)->SSL.clientpemfile);
FREE((*p)->request_checksum);
FREE((*p)->request_hostheader);
FREE(*p);
@@ -641,6 +643,7 @@
_gc_url(&(*recv)->url);
FREE((*recv)->ssl.certmd5);
+ FREE((*recv)->ssl.clientpemfile);
FREE(*recv);
}
diff -ur monit-5.3.2/src/socket.c monit-5.3.2-maage-ssl/src/socket.c
--- monit-5.3.2/src/socket.c 2011-12-20 22:40:30.000000000 +0200
+++ monit-5.3.2-maage-ssl/src/socket.c 2011-12-28 16:20:03.000000000 +0200
@@ -157,6 +157,7 @@
ssl.use_ssl= use_ssl;
ssl.version= SSL_VERSION_AUTO;
ssl.certmd5= NULL;
+ ssl.clientpemfile= NULL;
return socket_create_t(host, port, type, ssl, timeout);
@@ -421,7 +422,7 @@
int socket_switch2ssl(Socket_T S, Ssl_T ssl) {
- if(! (S->ssl= new_ssl_connection(NULL, ssl.version)))
+ if(! (S->ssl= new_ssl_connection(ssl.clientpemfile, ssl.version)))
return FALSE;
if(! embed_ssl_socket(S->ssl, S->socket))
diff -ur monit-5.3.2/src/ssl.h monit-5.3.2-maage-ssl/src/ssl.h
--- monit-5.3.2/src/ssl.h 2011-12-20 22:40:30.000000000 +0200
+++ monit-5.3.2-maage-ssl/src/ssl.h 2011-12-28 16:20:03.000000000 +0200
@@ -49,6 +49,7 @@
int use_ssl; /**< TRUE if SSL is required for connection */
int version; /**< The SSL version to use for connection */
char *certmd5; /**< The expected md5 sum of the server's certificate */
+ char *clientpemfile /**< The client certificate */
} Ssl_T;
diff -ur monit-5.3.2/src/status.c monit-5.3.2-maage-ssl/src/status.c
--- monit-5.3.2/src/status.c 2011-12-20 22:40:30.000000000 +0200
+++ monit-5.3.2-maage-ssl/src/status.c 2011-12-28 16:20:03.000000000 +0200
@@ -87,8 +87,25 @@
return status;
}
- if(!(sock= socket_new(Run.bind_addr?Run.bind_addr:"localhost", Run.httpdport,
- SOCKET_TCP, Run.httpdssl, NET_TIMEOUT))) {
+ if (!Run.httpdssl) {
+ sock= socket_new(Run.bind_addr?Run.bind_addr:"localhost", Run.httpdport,
+ SOCKET_TCP, Run.httpdssl, NET_TIMEOUT);
+ } else {
+ Ssl_T ssl;
+
+ ssl.use_ssl= Run.httpdssl;
+ ssl.version= SSL_VERSION_AUTO;
+ ssl.certmd5= NULL;
+ ssl.clientpemfile= NULL;
+
+ if (Run.httpsslclientpem)
+ ssl.clientpemfile= Str_dup(Run.httpsslclientpem);
+
+ sock= socket_create_t(Run.bind_addr?Run.bind_addr:"localhost",
+ Run.httpdport, SOCKET_TCP,
+ ssl, NET_TIMEOUT);
+ }
+ if(!sock) {
LogError("%s: error connecting to the monit daemon\n", prog);
return status;
}
diff -ur monit-5.3.2/src/control.c monit-5.3.2-maage-ssl/src/control.c
--- monit-5.3.2/src/control.c 2011-12-20 22:40:30.000000000 +0200
+++ monit-5.3.2-maage-ssl/src/control.c 2011-12-29 20:26:59.000000000 +0200
@@ -99,7 +99,24 @@
LogError("%s: Cannot %s service '%s' -- invalid action %s\n",
prog, action, S, action);
return FALSE;
}
- s = socket_new(Run.bind_addr ? Run.bind_addr : "localhost",
Run.httpdport, SOCKET_TCP, Run.httpdssl, NET_TIMEOUT);
+ if (!Run.httpdssl) {
+ s= socket_new(Run.bind_addr?Run.bind_addr:"localhost",
Run.httpdport,
+ SOCKET_TCP, Run.httpdssl, NET_TIMEOUT);
+ } else {
+ Ssl_T ssl;
+
+ ssl.use_ssl= Run.httpdssl;
+ ssl.version= SSL_VERSION_AUTO;
+ ssl.certmd5= NULL;
+ ssl.clientpemfile= NULL;
+
+ if (Run.httpsslclientpem)
+ ssl.clientpemfile= Str_dup(Run.httpsslclientpem);
+
+ s= socket_create_t(Run.bind_addr?Run.bind_addr:"localhost",
+ Run.httpdport, SOCKET_TCP,
+ ssl, NET_TIMEOUT);
+ }
if (!s) {
LogError("%s: Cannot connect to the monit daemon. Did you
start it with http support?\n", prog);
return FALSE;
_______________________________________________
monit-dev mailing list
monit-dev@nongnu.org
https://lists.nongnu.org/mailman/listinfo/monit-dev
