Thanks for the patch! Now it works as expected. Best, Freerk
2014-01-28 Jan-Henrik Haukeland <[email protected]>: > This commit should fix this. > https://bitbucket.org/tildeslash/monit/commits/3785a80d100d1881fb4a8d86707b76f491d2dd0b > > Please verify, by downloading latest, > https://bitbucket.org/tildeslash/monit/get/master.tar.gz > > > > On 28 Jan 2014, at 12:25, Freerk Ohling < > [email protected]> wrote: > > > Hi, > > > > while updating from Monit 5.3.1 to the current Monit 5.6 I try to change > the CIPHER_LIST in src/ssl.c to something more secure. In order to test > this with something simple, I replaced the default > "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" with "RC4-SHA:AES256-SHA:AES128-SHA". > With a "strings /usr/bin/monit | less" I can see that the changed > CIPHER_LIST actually ends up in the binary. > > > > If I check the local IP on port 2812 with sslscan or a similar tool I > always get the same results, no matter if I test the old Monit 5.3.1 with > the default CIPHER_LIST, Monit 5.6 with the default CIPHER_LIST or 5.6 with > the modified CIPHER_LIST.: > > > > Accepted SSLv3 256 bits AES256-SHA > > Accepted SSLv3 256 bits CAMELLIA256-SHA > > Accepted SSLv3 168 bits DES-CBC3-SHA > > Accepted SSLv3 128 bits AES128-SHA > > Accepted SSLv3 128 bits SEED-SHA > > Accepted SSLv3 128 bits CAMELLIA128-SHA > > Accepted SSLv3 128 bits RC4-SHA > > Accepted SSLv3 128 bits RC4-MD5 > > Accepted SSLv3 56 bits DES-CBC-SHA > > (and the same ciphers for TLSv1 as well) > > > > Why does it accept the RC4-MD5 cipher? Even the default CIPHER_LIST > contains a "!MD5", so there should never be a cipher with MD5 hash used? > > > > When I run the following on that same host I get a big list of 80 > supported ciphers in comparison on the Monit port 2812 I only get 18. And > as expected OpenSSL doesn't report a single MD5 cipher: > > openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' > > > > During testing for the available ciphers with sslscan I get many of this > entries in the monit.log: > > error : monit: Openssl engine error: error:1408A0C1:SSL > routines:func(138):reason(193) > > > > Running Monit with the changed CIPHER_LIST I get this message right > after startup in the log: > > error : monit: Cannot initialize SSL server certificate handler -- > error:140A90A1:SSL routines:func(169):reason(161) > > > > I run OpenSSL 1.0.1-4ubuntu5.10 on precise. > > > > Any ideas what is wrong here? Did someone already successfully changed > the ciphers? Do you have the same results running sslscan on port 2812? > > > > Thanks! > > > > Freerk > > -- > > To unsubscribe: > > https://lists.nongnu.org/mailman/listinfo/monit-general > > > -- > To unsubscribe: > https://lists.nongnu.org/mailman/listinfo/monit-general >
-- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
