How to change monit SSL ciphers?

Tue, 28 Jan 2014 03:27:43 -0800 

Hi,

while updating from Monit 5.3.1 to the current Monit 5.6 I try to change
the CIPHER_LIST in src/ssl.c to something more secure. In order to test
this with something simple, I replaced the default
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" with "RC4-SHA:AES256-SHA:AES128-SHA".
With a "strings /usr/bin/monit | less" I can see that the changed
CIPHER_LIST actually ends up in the binary.

If I check the local IP on port 2812 with sslscan or a similar tool I
always get the same results, no matter if I test the old Monit 5.3.1 with
the default CIPHER_LIST, Monit 5.6 with the default CIPHER_LIST or 5.6 with
the modified CIPHER_LIST.:

    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  256 bits  CAMELLIA256-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  SEED-SHA
    Accepted  SSLv3  128 bits  CAMELLIA128-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  56 bits   DES-CBC-SHA
(and the same ciphers for TLSv1 as well)

Why does it accept the RC4-MD5 cipher? Even the default CIPHER_LIST
contains a "!MD5", so there should never be a cipher with MD5 hash used?

When I run the following on that same host I get a big list of 80 supported
ciphers in comparison on the Monit port 2812 I only get 18. And as expected
OpenSSL doesn't report a single MD5 cipher:
openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'

During testing for the available ciphers with sslscan I get many of this
entries in the monit.log:
error    : monit: Openssl engine error: error:1408A0C1:SSL
routines:func(138):reason(193)

Running Monit with the changed CIPHER_LIST I get this message right after
startup in the log:
error    : monit: Cannot initialize SSL server certificate handler --
error:140A90A1:SSL routines:func(169):reason(161)

I run OpenSSL 1.0.1-4ubuntu5.10 on precise.

Any ideas what is wrong here? Did someone already successfully changed the
ciphers? Do you have the same results running sslscan on port 2812?

Thanks!

Freerk

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

Reply via email to