[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssl: unsafe legacy renegotiation

From: address@hidden
Subject: Re: ssl: unsafe legacy renegotiation
Date: Thu, 9 Feb 2023 22:55:48 +0100

On 9. 2. 2023, at 22:11, wrote:

On 9. 2. 2023, at 20:22, sashk via This is the general mailing list for monit <> wrote:


Google the error and solution. Either update SSL on the cable modem “server” if you can or modify Monit (the client) yourself.

Upgrading ssl is not possible on cable modem, therefore as I stated in my original email:
It seems re-configuring OpenSSL it is possible to do systemwide, but I would like to avoid doing so.

I was hoping there is a way, similar to ssl options {version: TLSV1,... } to enable this setting just for this particular check in monit, not systemwide, as this opens system to CVE-2009-3555.


Yes, that is possible, see snip from Monit 5.27.0:

Version 5.27.0

    Important: (Backward compatibility impact) The SSL "version: auto" now defaults to TLSv1.2 and TLSv1.3 only.
If you need to enable TLSv1.0 or TLSv1.1 (regardless of how insecure it is), you have to explicitly enable it
via the SSL option, example:       set ssl {
       version: tlsv11

I'm sorry, i pointed only to the global option ... it is possible to override the SSL options for particular port test too, see the example from the manual.

The "version" ssl option in the port statement context works the same as on the global "set ssl" context:

    check host example with address

            if failed

                    port 443

                    protocol https

                    with ssl options {selfsigned: allow}

            then alert

reply via email to

[Prev in Thread] Current Thread [Next in Thread]