Re: Status SSL

monit-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status SSL

From:	Martin Pala
Subject:	Re: Status SSL
Date:	Fri, 25 Oct 2002 10:40:59 +0200

Agrre with certificate md5sum.

Martin

----- Original Message -----
From: "Christian Hopp" <address@hidden>
To: "Monit Developer Mailinglist" <address@hidden>
Sent: Friday, October 25, 2002 10:11 AM
Subject: Status SSL

Hi!

For 1d18h monit is running on my machine with ssl httpd support plus
client pem auth and services which are forged over ssl are checked
(imap, pop3 and apache)... in a test setting... start+stop are
/bin/true and just a selection of services are being checked.

So far it seems to run stable.  From time to time I do "repeat 100
monit status".  And it does it well too.  And I do not see any memory
increase any more.  There was one patched in the last commit.  Even
though it's difficult because openssl seems to do some unpredictable
caching or garbage collection.

The only thing missing (but could also come in any later release) is
the check of the certificate when ssl forged services are checked.
There would be the following possibilities (I just wanna know what you
think or prefer)...

* Subject of the cert must fit (unhandy)
* md5 sum of the cert must fit
* the cert as a file it self (it start to get confused with all the
  files... and memory... and what if the cert file of the service and
  that whats given to monit are physically the same->rereading issues)

Personally I prefer the md5 sum of the cert and anyways there is
already code in the ssl.c for handling cert md5 sums.  My idea would
be to enhance the tcpssl statement by adding an optional certmd5
statement like this...

check pop3s with pidfile /var/run/pop3.pid
        port 995 type tcpssl expect certmd5 ccf9dce0c5a45f0bedfd46c2a2ad9ff2
                            protocol pop

"expect" should be a noise word.

And with...

/usr/local/bin/openssl x509 -fingerprint -noout -in pemfile.pem

it's easy to get the cert's md5 sum.

Christian

--
Christian Hopp                                email:
address@hidden
Institut für Elektrische Informationstechnik             fon:
+49-5323-72-2113
Technische Universität Clausthal                         fax:
+49-5323-72-3197
  pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc
(2001-11-22)

_______________________________________________
monit-dev mailing list
address@hidden
http://mail.nongnu.org/mailman/listinfo/monit-dev

[Prev in Thread]

Current Thread

[Next in Thread]

Status SSL, Christian Hopp, 2002/10/25
- Re: Status SSL, Martin Pala <=
  - Re: Status SSL, rory, 2002/10/25
- Re: Status SSL, Jan-Henrik Haukeland, 2002/10/25

Prev by Date: Status SSL
Next by Date: Big vs. Little endian problem in md5 code?
Previous by thread: Status SSL
Next by thread: Re: Status SSL
Index(es):
- Date
- Thread