Re: Status SSL

monit-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status SSL

From:	rory
Subject:	Re: Status SSL
Date:	Fri, 25 Oct 2002 09:05:08 -0700 (PDT)

+1 for md5sum

Agrre with certificate md5sum.
>
> Martin
>
>
> ----- Original Message -----
> From: "Christian Hopp" <address@hidden>
> To: "Monit Developer Mailinglist" <address@hidden>
> Sent: Friday, October 25, 2002 10:11 AM
> Subject: Status SSL
>
>
> Hi!
>
> For 1d18h monit is running on my machine with ssl httpd support plus
> client pem auth and services which are forged over ssl are checked
> (imap, pop3 and apache)... in a test setting... start+stop are
> /bin/true and just a selection of services are being checked.
>
> So far it seems to run stable.  From time to time I do "repeat 100
> monit status".  And it does it well too.  And I do not see any memory
> increase any more.  There was one patched in the last commit.  Even
> though it's difficult because openssl seems to do some unpredictable
> caching or garbage collection.
>
> The only thing missing (but could also come in any later release) is
> the check of the certificate when ssl forged services are checked.
> There would be the following possibilities (I just wanna know what you
> think or prefer)...
>
> * Subject of the cert must fit (unhandy)
> * md5 sum of the cert must fit
> * the cert as a file it self (it start to get confused with all the
>  files... and memory... and what if the cert file of the service and
>  that whats given to monit are physically the same->rereading issues)
>
> Personally I prefer the md5 sum of the cert and anyways there is
> already code in the ssl.c for handling cert md5 sums.  My idea would be
> to enhance the tcpssl statement by adding an optional certmd5
> statement like this...
>
> check pop3s with pidfile /var/run/pop3.pid
>        port 995 type tcpssl expect certmd5
>        ccf9dce0c5a45f0bedfd46c2a2ad9ff2
>                            protocol pop
>
> "expect" should be a noise word.
>
> And with...
>
> /usr/local/bin/openssl x509 -fingerprint -noout -in pemfile.pem
>
> it's easy to get the cert's md5 sum.
>
> Christian
>
>
>
> --
> Christian Hopp                                email:
> address@hidden
> Institut für Elektrische Informationstechnik             fon:
> +49-5323-72-2113
> Technische Universität Clausthal                         fax:
> +49-5323-72-3197
>  pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc
> (2001-11-22)
>
>
>
> _______________________________________________
> monit-dev mailing list
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/monit-dev
>
>
>
> _______________________________________________
> monit-dev mailing list
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/monit-dev

[Prev in Thread]

Current Thread

[Next in Thread]

Status SSL, Christian Hopp, 2002/10/25
- Re: Status SSL, Martin Pala, 2002/10/25
  - Re: Status SSL, rory <=
- Re: Status SSL, Jan-Henrik Haukeland, 2002/10/25

Prev by Date: monit ./configure.ac ./l.l ./md5.c ./monit.pod ...
Next by Date: Re: Big vs. Little endian problem in md5 code?
Previous by thread: Re: Status SSL
Next by thread: Re: Status SSL
Index(es):
- Date
- Thread