[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to change monit SSL ciphers?

From: Jan-Henrik Haukeland
Subject: Re: How to change monit SSL ciphers?
Date: Tue, 28 Jan 2014 18:35:26 +0100

This commit should fix this.

Please verify, by downloading latest,

On 28 Jan 2014, at 12:25, Freerk Ohling <address@hidden> wrote:

> Hi,
> while updating from Monit 5.3.1 to the current Monit 5.6 I try to change the 
> CIPHER_LIST in src/ssl.c to something more secure. In order to test this with 
> something simple, I replaced the default "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" 
> with "RC4-SHA:AES256-SHA:AES128-SHA". With a "strings /usr/bin/monit | less" 
> I can see that the changed CIPHER_LIST actually ends up in the binary.
> If I check the local IP on port 2812 with sslscan or a similar tool I always 
> get the same results, no matter if I test the old Monit 5.3.1 with the 
> default CIPHER_LIST, Monit 5.6 with the default CIPHER_LIST or 5.6 with the 
> modified CIPHER_LIST.:
>     Accepted  SSLv3  256 bits  AES256-SHA
>     Accepted  SSLv3  256 bits  CAMELLIA256-SHA
>     Accepted  SSLv3  168 bits  DES-CBC3-SHA
>     Accepted  SSLv3  128 bits  AES128-SHA
>     Accepted  SSLv3  128 bits  SEED-SHA
>     Accepted  SSLv3  128 bits  CAMELLIA128-SHA
>     Accepted  SSLv3  128 bits  RC4-SHA
>     Accepted  SSLv3  128 bits  RC4-MD5
>     Accepted  SSLv3  56 bits   DES-CBC-SHA
> (and the same ciphers for TLSv1 as well)
> Why does it accept the RC4-MD5 cipher? Even the default CIPHER_LIST contains 
> a "!MD5", so there should never be a cipher with MD5 hash used?
> When I run the following on that same host I get a big list of 80 supported 
> ciphers in comparison on the Monit port 2812 I only get 18. And as expected 
> OpenSSL doesn't report a single MD5 cipher:
> openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
> During testing for the available ciphers with sslscan I get many of this 
> entries in the monit.log:
> error    : monit: Openssl engine error: error:1408A0C1:SSL 
> routines:func(138):reason(193)
> Running Monit with the changed CIPHER_LIST I get this message right after 
> startup in the log:
> error    : monit: Cannot initialize SSL server certificate handler -- 
> error:140A90A1:SSL routines:func(169):reason(161)
> I run OpenSSL 1.0.1-4ubuntu5.10 on precise.
> Any ideas what is wrong here? Did someone already successfully changed the 
> ciphers? Do you have the same results running sslscan on port 2812?
> Thanks!
> Freerk
> --
> To unsubscribe:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]