Re: SSL support

[Jan-Henrik Haukeland]

Very cool! Oddly enough I'm also working with implementing SSL
support, not for monit though but for my zervlet system and I thought
about moving some code over to monit when I'm done. But this means I
don't have to :-)

Adding SSL to monit is a very good idea and your listed rational below
for doing this is just my thoughts. 

Two hints 

1) I'm learning SSL from this book http://www.opensslbook.com/ It's
not a particulary good book, but okay and the only one about openssl.
There are also code examples at the web-site, but also not particulary
good..

2) I just browsed through your code (very fast) and I think you will
need two things at least, properly seeding the openssl prng and Thread
locking support since monit uses threads. The last one is tricky but I
have enclosed some of my current code from zervlet, check out
especially Crypto_start/Crypto_stop. It won't compile since there are
some dependencies to other functions in the zervlet lib but will give
you a good start on initializing the ssl library properly. You can use
this code in monit if you want to, never mind the licensing header :-)

(I use two defines you will need to know about. 
#define Thread_T pthread_t
#define Mutex_T pthread_mutex_t

I'm doing it like this since I'm planing on using zervlet on Win32 as well
)

Christian Hopp <address@hidden> writes:

> ... maybe I was again programming to early before asking the other
> developers, but the code was flowing too fast from my fingers so I
> can't stop it. (-:
> 
> I have made a client/server (open)ssl wrapper library for monit.  It
> is able to initiate complete ssl connections (including the net stuff)
> or it can add a ssl layer on exiting sockets.  Create, close, accept,
> send, recv, gc is implemented. (see ssl.c/ssl.h)
> 
> Why...
> - to check services which are forged via ssl (imaps, https, pop3s...)
> - to check the actual ssl service (e.g. cert issuer, cert age)
> - to give the monit http server ssl support (maybe also with auth over
>   client cert check)
> 
> It is not yet integrated in any code but it already uses monits code
> for the network stuff.  I have attached the actual code with two demo
> progs to inspire you.  They are test_cli.c and testsrv.c and it should
> be obvious what they do. (-:  Simply unpack it in the monit source,
> compile instruction is in the code.
> 
> Development was done with openssl-0.9.6e.  Btw, I was inspired by two
> demos in the openssl code.
> 
> 
> Bye,
> 
> Christian
> 
> -- 
> Christian Hopp                                email: address@hidden
> Institut für Elektrische Informationstechnik             fon: +49-5323-72-2113
> Technische Universität Clausthal                         fax: +49-5323-72-3197
>   pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc  (2001-11-22)
>

ssl.tgz
Description: ssl.tgz

-- 
Jan-Henrik Haukeland