Re: SSL

[rory]

I'm not sure I completely follow everything, but...

We should allow use of private-CA and not return an error. I have noticed
that Internet Exploder on MacOS will not accept a private certificate at
all, and I assume it's because of this error that openssl can return.
In any case, it would bother me to have to fork over bucks for a CA that's
signed by an authority, when all I want to do is to make my personal
system a little more secure.
> On 11 Oct 2002, Jan-Henrik Haukeland wrote:
>
>> Christian Hopp <address@hidden> writes:
>>
>> > Hi!
>> >
>> > There is a new feature for monit-ssl,
>> >
>> > you CAN specify a "client ssl pem file".  That means... monit would
>> > only allow connection if the client supplies a cert fitting a cert
>> > in the "client ssl file" => You need a password AND a sufficient
>> > cert/private key combination on the client for a successful
>> > connection!
>> >
>> > I hope it makes sense???  I am getting confused already with all
>> > that keys and certs. (-:
>> >
>> > But it works... that means... monit status (et. al.) connects with
>> > proper client cert and is accepted by monit.  As long as:
>> >
>> > - the client cert has the right "purpose"... of course "client"
>> >
>> > - if the cert is CA certified you have to supply the cert of the ca
>> >   within the "client ssl pem file"
>> >
>> > - for cli support monit uses it's own server privkey+cert
>> >
>> > So what I don't know is... should we treat self certified
>> > certificates as errors or should we allow them.  For openssl it's an
>> > error which could be overridden!  Right now monit would throw a
>> > warning to the log but allows the connection.
>> >
>> > What do you think... should I commit?
>>
>> I'm not sure I got all that. Do you mean that monit should only accept
>> connections to its http server if the client sends a valid ca signed
>> certificate? I'm not sure, maybe, probably. The safest is to leave it
>> as a monitrc configure option. (Since not all have a CA signed cert
>> and will have to make up their own it could be a problem for a monit
>> client to speak with a monit daemon over SSL to get status and such)
>>
>
> This only happens if you turn on client pem files.  If not monit does
> not need any client side certificates.  I can put a statement like
> "allowselfcertification" (or what ever term) to allow self certified
> certificates.
>
> Anyways, somebody should tidy up the "set httpd" statement.  Because
> everything is right now order dependent. )-: Unfortunatly I go on
> vacation for the next week, if please somebody else could do me the
> favor of tiding it up. (-:
>
>
> Christian
>
> --
> Christian Hopp                                email:
> address@hidden Institut für Elektrische Informationstechnik
>            fon: +49-5323-72-2113 Technische Universität Clausthal
>                   fax: +49-5323-72-3197
>  pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc
>  (2001-11-22)
>
>
>
> _______________________________________________
> monit-dev mailing list
> address@hidden
> http://mail.freesoftware.fsf.org/mailman/listinfo/monit-dev