[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[monit-dev] [monit] r314 committed - disable ssl session cache
|
From: |
monit |
|
Subject: |
[monit-dev] [monit] r314 committed - disable ssl session cache |
|
Date: |
Sun, 19 Dec 2010 22:03:49 +0000 |
Revision: 314
Author: address@hidden
Date: Sun Dec 19 14:03:05 2010
Log: disable ssl session cache
http://code.google.com/p/monit/source/detail?r=314
Modified:
/trunk/README.SSL
/trunk/doc/monit.html
/trunk/ssl.c
=======================================
--- /trunk/README.SSL Sat Nov 7 14:10:27 2009
+++ /trunk/README.SSL Sun Dec 19 14:03:05 2010
@@ -234,16 +234,13 @@
In order to generate the actual pemfile just run these commands:
# Generates the private key and the certificate
-/usr/local/bin/openssl req -new -x509 -days 365 -nodes \
- -config ./monit.cnf -out /var/certs/monit.pem \
- -keyout /var/certs/monit.pem
+openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out
/var/certs/monit.pem -keyout /var/certs/monit.pem
# Generates the Diffie-Hellman Parameters
-/usr/local/bin/openssl gendh 512 >> /var/certs/monit.pem
+openssl gendh 512 >> /var/certs/monit.pem
# Prints out the certificate information
-/usr/local/bin/openssl x509 -subject -dates -fingerprint -noout \
- -in /var/certs/monit.pem
+openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem
=======================================
--- /trunk/doc/monit.html Tue Sep 21 01:18:15 2010
+++ /trunk/doc/monit.html Sun Dec 19 14:03:05 2010
@@ -528,9 +528,7 @@
<p>Monit will then not monitor the service. This allows for having
services configured in monitrc and start it with Monit only if it
should run. This feature can be used to build a simple failsafe
-cluster. To see how, read more about how to setup a cluster with
-Monit using the <em>heartbeat</em> system in the examples sections
-below.</p>
+cluster.</p>
<p>A service's monitoring state is persistent across Monit restart.
This means that you probably would like to make certain that
services in manual mode are stopped or in unmonitored mode at
=======================================
--- /trunk/ssl.c Wed Aug 11 00:45:16 2010
+++ /trunk/ssl.c Sun Dec 19 14:03:05 2010
@@ -178,56 +178,53 @@
* @return The ssl connection or NULL if an error occured.
*/
int embed_ssl_socket(ssl_connection *ssl, int socket) {
-
int ssl_error;
time_t ssl_time;
- if(!ssl)
+ if (!ssl)
return FALSE;
- if(!ssl_initialized)
+ if (!ssl_initialized)
start_ssl();
- if(socket >= 0) {
- ssl->socket= socket;
+ if (socket >= 0) {
+ ssl->socket = socket;
} else {
LogError("%s: Socket error!\n", prog);
goto sslerror;
}
- if((ssl->handler= SSL_new (ssl->ctx)) == NULL) {
+ if ((ssl->handler = SSL_new (ssl->ctx)) == NULL) {
LogError("%s: Cannot initialize the SSL handler -- %s\n", prog,
SSLERROR);
goto sslerror;
}
set_noblock(ssl->socket);
- if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
+ if ((ssl->socket_bio = BIO_new_socket(ssl->socket, BIO_NOCLOSE)) ==
NULL) {
LogError("%s: Cannot generate IO buffer -- %s\n", prog, SSLERROR);
goto sslerror;
}
SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
- ssl_time= time(NULL);
-
- while((ssl_error= SSL_connect (ssl->handler)) < 0) {
-
- if((time(NULL) - ssl_time) > SSL_TIMEOUT) {
+ ssl_time = time(NULL);
+
+ while ((ssl_error = SSL_connect (ssl->handler)) < 0) {
+ if ((time(NULL) - ssl_time) > SSL_TIMEOUT) {
LogError("%s: SSL service timeout!\n", prog);
goto sslerror;
}
- if(!handle_error(ssl_error, ssl))
+ if (!handle_error(ssl_error, ssl))
goto sslerror;
- if(!BIO_should_retry(ssl->socket_bio))
+ if (!BIO_should_retry(ssl->socket_bio))
goto sslerror;
-
}
- ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
-
- if(! update_ssl_cert_data(ssl)) {
+ ssl->cipher = (char *) SSL_get_cipher(ssl->handler);
+
+ if (! update_ssl_cert_data(ssl)) {
LogError("%s: Cannot get the SSL server certificate!\n", prog);
goto sslerror;
}
@@ -235,11 +232,8 @@
return TRUE;
sslerror:
-
cleanup_ssl_socket(ssl);
-
return FALSE;
-
}
@@ -250,29 +244,17 @@
* @return TRUE, if sums do not match FALSE
*/
int check_ssl_md5sum(ssl_connection *ssl, char *md5sum) {
-
- unsigned int i= 0;
+ unsigned int i = 0;
ASSERT(md5sum);
- while (( i < ssl->cert_md5_len ) &&
- ( md5sum[2*i] != '\0' ) &&
- ( md5sum[2*i+1] != '\0' ))
- {
-
- unsigned char c=
- (md5sum[2*i] > 57 ? md5sum[2*i] - 87 : md5sum[2*i] - 48) * 0x10+
- (md5sum[2*i+1] > 57 ? md5sum[2*i+1] - 87 : md5sum[2*i+1] - 48);
-
- if(c != ssl->cert_md5[i])
+ while ((i < ssl->cert_md5_len) && (md5sum[2*i] != '\0') &&
(md5sum[2*i+1] != '\0')) {
+ unsigned char c = (md5sum[2*i] > 57 ? md5sum[2*i] - 87 : md5sum[2*i] -
48) * 0x10+ (md5sum[2*i+1] > 57 ? md5sum[2*i+1] - 87 : md5sum[2*i+1] - 48);
+ if (c != ssl->cert_md5[i])
return FALSE;
-
- i ++;
-
- }
-
+ i++;
+ }
return TRUE;
-
}
@@ -282,22 +264,20 @@
* @return TRUE, or FALSE if an error has occured.
*/
int close_ssl_socket(ssl_connection *ssl) {
-
int rv;
- if(!ssl)
+ if (!ssl)
return FALSE;
- if(! (rv= SSL_shutdown(ssl->handler))) {
+ if (! (rv = SSL_shutdown(ssl->handler))) {
shutdown(ssl->socket, 1);
- rv= SSL_shutdown(ssl->handler);
+ rv = SSL_shutdown(ssl->handler);
}
close_socket(ssl->socket);
cleanup_ssl_socket(ssl);
- return (rv > 0)?TRUE:FALSE;
-
+ return (rv > 0) ? TRUE : FALSE;
}
@@ -306,19 +286,17 @@
* @param ssl ssl connection
*/
void delete_ssl_socket(ssl_connection *ssl) {
-
- if(!ssl)
+ if (!ssl)
return;
cleanup_ssl_socket(ssl);
- if(ssl->ctx && !ssl->accepted)
+ if (ssl->ctx && !ssl->accepted)
SSL_CTX_free(ssl->ctx);
- ssl->ctx= NULL;
+ ssl->ctx = NULL;
FREE(ssl);
-
}
@@ -333,72 +311,64 @@
ASSERT(pemfile);
- if(!ssl_initialized)
+ if (!ssl_initialized)
start_ssl();
ssl_server = new_ssl_server_connection(pemfile, clientpemfile);
#ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- server_method = TLSv1_server_method();
- }
- else {
- server_method = SSLv23_server_method();
- }
+ if (FIPS_mode())
+ server_method = TLSv1_server_method();
+ else
+ server_method = SSLv23_server_method();
#else
server_method = SSLv23_server_method();
#endif
- if(!(ssl_server->method= server_method)) {
+ if (!(ssl_server->method = server_method)) {
LogError("%s: Cannot initialize the SSL method -- %s\n", prog,
SSLERROR);
goto sslerror;
}
- if(!(ssl_server->ctx= SSL_CTX_new(ssl_server->method))) {
- LogError("%s: Cannot initialize SSL server certificate handler
-- %s\n",
- prog, SSLERROR);
+ if (!(ssl_server->ctx = SSL_CTX_new(ssl_server->method))) {
+ LogError("%s: Cannot initialize SSL server certificate handler
-- %s\n", prog, SSLERROR);
goto sslerror;
}
- if(SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) {
- LogError("%s: Cannot initialize SSL server certificate -- %s\n",
- prog, SSLERROR);
+ if (SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) {
+ LogError("%s: Cannot initialize SSL server certificate -- %s\n", prog,
SSLERROR);
goto sslerror;
}
- if(SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile,
- SSL_FILETYPE_PEM) != 1) {
- LogError("%s: Cannot initialize SSL server private key -- %s\n",
- prog, SSLERROR);
+ if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile,
SSL_FILETYPE_PEM) != 1) {
+ LogError("%s: Cannot initialize SSL server private key -- %s\n", prog,
SSLERROR);
goto sslerror;
}
- if(SSL_CTX_check_private_key(ssl_server->ctx) != 1) {
- LogError("%s: The private key doesn't match the certificate public key
-- %s\n",
- prog, SSLERROR);
+ if (SSL_CTX_check_private_key(ssl_server->ctx) != 1) {
+ LogError("%s: The private key doesn't match the certificate public key
-- %s\n", prog, SSLERROR);
goto sslerror;
}
+
+ /* Disable session cache */
+ SSL_CTX_set_session_cache_mode(ssl_server->ctx, SSL_SESS_CACHE_OFF);
/*
* We need this to force transmission of client certs
*/
if (!verify_init(ssl_server)) {
- LogError("%s: Verification engine was not properly initialized
-- %s\n",
- prog, SSLERROR);
+ LogError("%s: Verification engine was not properly initialized
-- %s\n", prog, SSLERROR);
goto sslerror;
}
- if(ssl_server->clientpemfile) {
- STACK_OF(X509_NAME) *stack=
SSL_CTX_get_client_CA_list(ssl_server->ctx);
+ if (ssl_server->clientpemfile) {
+ STACK_OF(X509_NAME) *stack =
SSL_CTX_get_client_CA_list(ssl_server->ctx);
LogInfo("%s: Found %d client certificates\n", prog,
sk_X509_NAME_num(stack));
}
return ssl_server;
sslerror:
-
delete_ssl_server_socket(ssl_server);
-
return NULL;
-
}
@@ -407,17 +377,15 @@
* @param ssl_server data for ssl server connection
*/
void delete_ssl_server_socket(ssl_server_connection *ssl_server) {
-
- if(!ssl_server)
+ if (!ssl_server)
return;
cleanup_ssl_server_socket(ssl_server);
- if(ssl_server->ctx)
+ if (ssl_server->ctx)
SSL_CTX_free(ssl_server->ctx);
FREE(ssl_server);
-
}
@@ -427,45 +395,43 @@
* @return new SSL connection for the connection, or NULL if failed
*/
ssl_connection *insert_accepted_ssl_socket(ssl_server_connection
*ssl_server) {
-
ssl_connection *ssl;
ASSERT(ssl_server);
- if(!ssl_initialized)
+ if (!ssl_initialized)
start_ssl();
NEW(ssl);
- ssl->method= NULL;
- ssl->handler= NULL;
- ssl->cert= NULL;
- ssl->cipher= NULL;
- ssl->socket= 0;
- ssl->next= NULL;
- ssl->accepted= FALSE;
+ ssl->method = NULL;
+ ssl->handler = NULL;
+ ssl->cert = NULL;
+ ssl->cipher = NULL;
+ ssl->socket = 0;
+ ssl->next = NULL;
+ ssl->accepted = FALSE;
ssl->cert_md5= NULL;
- ssl->cert_md5_len= 0;
- ssl->clientpemfile= NULL;
-
- if(ssl_server->clientpemfile!=NULL)
- ssl->clientpemfile= xstrdup(ssl_server->clientpemfile);
+ ssl->cert_md5_len = 0;
+ ssl->clientpemfile = NULL;
+
+ if (ssl_server->clientpemfile != NULL)
+ ssl->clientpemfile = xstrdup(ssl_server->clientpemfile);
LOCK(ssl_mutex);
- ssl->prev= NULL;
- ssl->next= ssl_server->ssl_conn_list;
-
- if( ssl->next != NULL )
- ssl->next->prev= ssl;
+ ssl->prev = NULL;
+ ssl->next = ssl_server->ssl_conn_list;
+
+ if ( ssl->next != NULL )
+ ssl->next->prev = ssl;
END_LOCK;
- ssl_server->ssl_conn_list= ssl;
- ssl->ctx= ssl_server->ctx;
- ssl->accepted= TRUE;
+ ssl_server->ssl_conn_list = ssl;
+ ssl->ctx = ssl_server->ctx;
+ ssl->accepted = TRUE;
return ssl;
-
}
@@ -475,25 +441,22 @@
* @param ssl_server data for ssl server connection
* @param ssl data the connection to be deleted
*/
-void close_accepted_ssl_socket(ssl_server_connection *ssl_server,
- ssl_connection *ssl) {
-
- if(!ssl || !ssl_server)
+void close_accepted_ssl_socket(ssl_server_connection *ssl_server,
ssl_connection *ssl) {
+ if (!ssl || !ssl_server)
return;
close_socket(ssl->socket);
LOCK(ssl_mutex);
- if(ssl->prev == NULL)
- ssl_server->ssl_conn_list= ssl->next;
+ if (ssl->prev == NULL)
+ ssl_server->ssl_conn_list = ssl->next;
else
- ssl->prev->next= ssl->next;
+ ssl->prev->next = ssl->next;
END_LOCK;
delete_ssl_socket(ssl);
-
}
@@ -504,68 +467,66 @@
* @return TRUE, or FALSE if an error has occured.
*/
int embed_accepted_ssl_socket(ssl_connection *ssl, int socket) {
-
int ssl_error;
time_t ssl_time;
ASSERT(ssl);
- ssl->socket= socket;
-
- if(!ssl_initialized)
+ ssl->socket = socket;
+
+ if (!ssl_initialized)
start_ssl();
- if(!(ssl->handler= SSL_new(ssl->ctx))) {
+ if (!(ssl->handler = SSL_new(ssl->ctx))) {
LogError("%s: Cannot initialize the SSL handler -- %s\n", prog,
SSLERROR);
return FALSE;
}
- if(socket < 0) {
+ if (socket < 0) {
LogError("%s: Socket error!\n", prog);
return FALSE;
}
set_noblock(ssl->socket);
- if(!(ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE))) {
+ if (!(ssl->socket_bio = BIO_new_socket(ssl->socket, BIO_NOCLOSE))) {
LogError("%s: Cannot generate IO buffer -- %s\n", prog, SSLERROR);
return FALSE;
}
SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
- ssl_time= time(NULL);
-
- while((ssl_error= SSL_accept(ssl->handler)) < 0) {
-
- if((time(NULL) - ssl_time) > SSL_TIMEOUT) {
+ ssl_time = time(NULL);
+
+ while ((ssl_error = SSL_accept(ssl->handler)) < 0) {
+
+ if ((time(NULL) - ssl_time) > SSL_TIMEOUT) {
LogError("%s: SSL service timeout!\n", prog);
return FALSE;
}
- if(!handle_error(ssl_error, ssl))
+ if (!handle_error(ssl_error, ssl))
return FALSE;
- if(!BIO_should_retry(ssl->socket_bio))
+ if (!BIO_should_retry(ssl->socket_bio))
return FALSE;
}
- ssl->cipher= (char *)SSL_get_cipher(ssl->handler);
-
- if(!update_ssl_cert_data(ssl) && ssl->clientpemfile) {
+ ssl->cipher = (char *)SSL_get_cipher(ssl->handler);
+
+ if (!update_ssl_cert_data(ssl) && ssl->clientpemfile) {
LogError("%s: The client did not supply a required client
certificate!\n",
prog);
return FALSE;
}
- if(SSL_get_verify_result(ssl->handler) > 0) {
+ if (SSL_get_verify_result(ssl->handler) > 0) {
LogError("%s: Verification of the certificate has failed!\n", prog);
return FALSE;
}
return TRUE;
-
}
@@ -578,19 +539,15 @@
* @return number of bytes transmitted, -1 in case of an error
*/
int send_ssl_socket(ssl_connection *ssl, void *buffer, int len, int
timeout) {
-
- int n= 0;
+ int n = 0;
ASSERT(ssl);
do {
- n= SSL_write(ssl->handler, buffer, len);
- } while(n <= 0 &&
- BIO_should_retry(ssl->socket_bio) &&
- can_write(ssl->socket, timeout));
-
- return (n > 0)?n:-1;
-
+ n = SSL_write(ssl->handler, buffer, len);
+ } while (n <= 0 && BIO_should_retry(ssl->socket_bio) &&
can_write(ssl->socket, timeout));
+
+ return (n > 0) ? n : -1;
}
@@ -603,19 +560,15 @@
* @return number of bytes transmitted, -1 in case of an error
*/
int recv_ssl_socket(ssl_connection *ssl, void *buffer, int len, int
timeout) {
-
- int n= 0;
+ int n = 0;
ASSERT(ssl);
do {
- n= SSL_read(ssl->handler, buffer, len);
- } while(n < 0 &&
- BIO_should_retry(ssl->socket_bio) &&
- can_read(ssl->socket, timeout));
-
- return (n >= 0)?n:-1;
-
+ n = SSL_read(ssl->handler, buffer, len);
+ } while (n < 0 && BIO_should_retry(ssl->socket_bio) &&
can_read(ssl->socket, timeout));
+
+ return (n >= 0) ? n : -1;
}
@@ -624,19 +577,17 @@
* @return TRUE, or FALSE if an error has occured.
*/
void stop_ssl() {
-
- if(ssl_initialized) {
+ if (ssl_initialized) {
int i;
- ssl_initialized= FALSE;
+ ssl_initialized = FALSE;
ERR_free_strings();
CRYPTO_set_id_callback(NULL);
CRYPTO_set_locking_callback(NULL);
- for(i= 0; i < CRYPTO_num_locks(); i++)
+ for (i = 0; i < CRYPTO_num_locks(); i++)
assert(pthread_mutex_destroy(&ssl_mutex_table[i]) == 0);
FREE(ssl_mutex_table);
RAND_cleanup();
}
-
}
@@ -644,9 +595,7 @@
* Configures the ssl engine
*/
void config_ssl(int conf_allow_self_cert) {
-
- allow_self_certification= conf_allow_self_cert;
-
+ allow_self_certification = conf_allow_self_cert;
}
@@ -655,61 +604,60 @@
* @return ssl connection container
*/
ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) {
-
ssl_connection *ssl;
- if(!ssl_initialized)
+ if (!ssl_initialized)
start_ssl();
NEW(ssl);
- ssl->socket_bio= NULL;
- ssl->handler= NULL;
- ssl->cert= NULL;
- ssl->cipher= NULL;
- ssl->socket= 0;
+ ssl->socket_bio = NULL;
+ ssl->handler = NULL;
+ ssl->cert = NULL;
+ ssl->cipher = NULL;
+ ssl->socket = 0;
ssl->next = NULL;
ssl->accepted = FALSE;
ssl->cert_md5 = NULL;
ssl->cert_md5_len = 0;
- ssl->clientpemfile= clientpemfile?xstrdup(clientpemfile):NULL;
+ ssl->clientpemfile = clientpemfile ? xstrdup(clientpemfile) : NULL;
switch (sslversion) {
case SSL_VERSION_AUTO:
#ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- ssl->method = TLSv1_client_method();
- } else {
+ if (FIPS_mode()) {
+ ssl->method = TLSv1_client_method();
+ } else {
#endif
- ssl->method = SSLv23_client_method();
+ ssl->method = SSLv23_client_method();
#ifdef OPENSSL_FIPS
- }
+ }
#endif
break;
case SSL_VERSION_SSLV2:
#ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- LogError("SSLv2 is not allowed in FIPS mode - use TLSv1");
- goto sslerror;
- } else {
+ if (FIPS_mode()) {
+ LogError("SSLv2 is not allowed in FIPS mode - use TLSv1");
+ goto sslerror;
+ } else {
#endif
- ssl->method = SSLv2_client_method();
+ ssl->method = SSLv2_client_method();
#ifdef OPENSSL_FIPS
- }
+ }
#endif
break;
case SSL_VERSION_SSLV3:
#ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- LogError("SSLv3 is not allowed in FIPS mode - use TLSv1");
- goto sslerror;
- } else {
+ if (FIPS_mode()) {
+ LogError("SSLv3 is not allowed in FIPS mode - use TLSv1");
+ goto sslerror;
+ } else {
#endif
ssl->method = SSLv3_client_method();
#ifdef OPENSSL_FIPS
- }
+ }
#endif
break;
@@ -723,35 +671,30 @@
}
- if(!ssl->method) {
+ if (!ssl->method) {
LogError("%s: Cannot initialize SSL method -- %s\n", prog, SSLERROR);
goto sslerror;
}
- if(!(ssl->ctx= SSL_CTX_new(ssl->method))) {
- LogError("%s: Cannot initialize SSL server certificate handler
-- %s\n",
- prog, SSLERROR);
+ if (!(ssl->ctx = SSL_CTX_new(ssl->method))) {
+ LogError("%s: Cannot initialize SSL server certificate handler
-- %s\n", prog, SSLERROR);
goto sslerror;
}
- if(ssl->clientpemfile) {
-
- if(SSL_CTX_use_certificate_chain_file(ssl->ctx, ssl->clientpemfile) <=
0) {
- LogError("%s: Cannot initialize SSL server certificate -- %s\n",
- prog, SSLERROR);
+ if (ssl->clientpemfile) {
+
+ if (SSL_CTX_use_certificate_chain_file(ssl->ctx, ssl->clientpemfile)
<= 0) {
+ LogError("%s: Cannot initialize SSL server certificate -- %s\n",
prog, SSLERROR);
goto sslerror;
}
- if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile,
- SSL_FILETYPE_PEM) <= 0) {
- LogError("%s: Cannot initialize SSL server private key -- %s\n",
- prog, SSLERROR);
+ if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile,
SSL_FILETYPE_PEM) <= 0) {
+ LogError("%s: Cannot initialize SSL server private key -- %s\n",
prog, SSLERROR);
goto sslerror;
}
- if(!SSL_CTX_check_private_key(ssl->ctx)) {
- LogError("%s: Private key does not match the certificate public key
-- %s\n",
- prog, SSLERROR);
+ if (!SSL_CTX_check_private_key(ssl->ctx)) {
+ LogError("%s: Private key does not match the certificate public key
-- %s\n", prog, SSLERROR);
goto sslerror;
}
@@ -760,11 +703,8 @@
return ssl;
sslerror:
-
delete_ssl_socket(ssl);
-
return NULL;
-
}
@@ -775,82 +715,64 @@
* Init verification of transmitted client certs
*/
static int verify_init(ssl_server_connection *ssl_server) {
-
struct stat stat_buf;
- if(!ssl_server->clientpemfile) {
+ if (!ssl_server->clientpemfile) {
SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_NONE, NULL);
return TRUE;
}
- if(stat(ssl_server->clientpemfile, &stat_buf) == -1) {
- LogError("%s: Cannot stat the SSL pem path '%s' -- %s\n",
- prog, Run.httpsslclientpem, STRERROR);
+ if (stat(ssl_server->clientpemfile, &stat_buf) == -1) {
+ LogError("%s: Cannot stat the SSL pem path '%s' -- %s\n", prog,
Run.httpsslclientpem, STRERROR);
return FALSE;
}
- if(S_ISDIR(stat_buf.st_mode)) {
-
- if(!SSL_CTX_load_verify_locations(ssl_server->ctx, NULL ,
- ssl_server->clientpemfile)) {
- LogError("%s: Error setting verify directory to %s -- %s\n",
- prog, Run.httpsslclientpem, SSLERROR);
+ if (S_ISDIR(stat_buf.st_mode)) {
+
+ if (!SSL_CTX_load_verify_locations(ssl_server->ctx, NULL ,
ssl_server->clientpemfile)) {
+ LogError("%s: Error setting verify directory to %s -- %s\n", prog,
Run.httpsslclientpem, SSLERROR);
return FALSE;
}
- LogInfo("%s: Loaded SSL client pem directory '%s'\n",
- prog, ssl_server->clientpemfile);
+ LogInfo("%s: Loaded SSL client pem directory '%s'\n", prog,
ssl_server->clientpemfile);
/* Monit's server cert for cli support */
- if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile,
- NULL)) {
- LogError("%s: Error loading verify certificates from %s -- %s\n",
- prog, ssl_server->pemfile, SSLERROR);
+ if (!SSL_CTX_load_verify_locations(ssl_server->ctx,
ssl_server->pemfile, NULL)) {
+ LogError("%s: Error loading verify certificates from %s -- %s\n",
prog, ssl_server->pemfile, SSLERROR);
return FALSE;
}
- LogInfo("%s: Loaded monit's SSL pem server file '%s'\n",
- prog, ssl_server->pemfile);
-
- } else if(S_ISREG(stat_buf.st_mode)) {
-
- if(!SSL_CTX_load_verify_locations(ssl_server->ctx,
- ssl_server->clientpemfile,
- NULL)) {
- LogError("%s: Error loading verify certificates from %s -- %s\n",
- prog, Run.httpsslclientpem, SSLERROR);
+ LogInfo("%s: Loaded monit's SSL pem server file '%s'\n", prog,
ssl_server->pemfile);
+
+ } else if (S_ISREG(stat_buf.st_mode)) {
+
+ if (!SSL_CTX_load_verify_locations(ssl_server->ctx,
ssl_server->clientpemfile, NULL)) {
+ LogError("%s: Error loading verify certificates from %s -- %s\n",
prog, Run.httpsslclientpem, SSLERROR);
return FALSE;
}
- LogInfo("%s: Loaded SSL pem client file '%s'\n",
- prog, ssl_server->clientpemfile);
+ LogInfo("%s: Loaded SSL pem client file '%s'\n", prog,
ssl_server->clientpemfile);
/* Monits server cert for cli support ! */
- if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile,
- NULL)) {
- LogError("%s: Error loading verify certificates from %s -- %s\n",
- prog, ssl_server->pemfile, SSLERROR);
+ if (!SSL_CTX_load_verify_locations(ssl_server->ctx,
ssl_server->pemfile, NULL)) {
+ LogError("%s: Error loading verify certificates from %s -- %s\n",
prog, ssl_server->pemfile, SSLERROR);
return FALSE;
}
- LogInfo("%s: Loaded monit's SSL pem server file '%s'\n",
- prog, ssl_server->pemfile);
-
- SSL_CTX_set_client_CA_list(ssl_server->ctx,
-
SSL_load_client_CA_file(ssl_server->clientpemfile));
+ LogInfo("%s: Loaded monit's SSL pem server file '%s'\n", prog,
ssl_server->pemfile);
+
+ SSL_CTX_set_client_CA_list(ssl_server->ctx,
SSL_load_client_CA_file(ssl_server->clientpemfile));
} else {
- LogError("%s: SSL client pem path is no file or directory %s\n",
- prog, ssl_server->clientpemfile);
+ LogError("%s: SSL client pem path is no file or directory %s\n", prog,
ssl_server->clientpemfile);
return FALSE;
}
SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER, verify_callback);
return TRUE;
-
}
@@ -858,30 +780,20 @@
* Check the transmitted client certs and a compare with client cert
database
*/
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
-
char subject[STRLEN];
X509_OBJECT found_cert;
- X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject,
- STRLEN-1);
-
- if(!preverify_ok && !check_preverify(ctx))
+ X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject,
STRLEN-1);
+
+ if (!preverify_ok && !check_preverify(ctx))
return 0;
- if(ctx->error_depth==0 &&
- X509_STORE_get_by_subject(ctx, X509_LU_X509,
- X509_get_subject_name(ctx->current_cert),
- &found_cert)!=1)
- {
-
- LogError("%s: SSL connection rejected. No matching certificate found
-- %s\n",
- prog, SSLERROR);
+ if (ctx->error_depth == 0 && X509_STORE_get_by_subject(ctx,
X509_LU_X509, X509_get_subject_name(ctx->current_cert), &found_cert) != 1) {
+ LogError("%s: SSL connection rejected. No matching certificate found
-- %s\n", prog, SSLERROR);
return 0;
-
}
return 1;
-
}
@@ -890,33 +802,23 @@
* @return TRUE if successful
*/
static int check_preverify(X509_STORE_CTX *ctx) {
-
- if ((ctx->error != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) &&
- (ctx->error != X509_V_ERR_INVALID_PURPOSE))
- {
+ if ((ctx->error != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) &&
(ctx->error != X509_V_ERR_INVALID_PURPOSE)) {
/* Remote site specified a certificate, but it's not correct */
- LogError("%s: SSL connection rejected because certificate verification
has failed -- error %i\n",
- prog, ctx->error);
+ LogError("%s: SSL connection rejected because certificate verification
has failed -- error %i\n", prog, ctx->error);
/* Reject connection */
return FALSE;
}
- if(allow_self_certification &&
- (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT))
- {
+ if (allow_self_certification && (ctx->error ==
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
/* Let's accept self signed certs for the moment! */
- LogInfo("%s: SSL connection accepted with self signed certificate!\n",
- prog);
- ctx->error=0;
+ LogInfo("%s: SSL connection accepted with self signed certificate!\n",
prog);
+ ctx->error = 0;
return TRUE;
}
/* Reject connection */
- LogError("%s: SSL connection rejected because certificate verification
has failed -- error %i!\n",
- prog, ctx->error);
+ LogError("%s: SSL connection rejected because certificate verification
has failed -- error %i!\n", prog, ctx->error);
return FALSE;
-
-
}
@@ -925,9 +827,7 @@
* @return current thread number
*/
static int unsigned long ssl_thread_id() {
-
return ((unsigned long) pthread_self());
-
}
@@ -935,12 +835,10 @@
* Helper function for the SSL threadding support
*/
static void ssl_mutex_lock(int mode, int n, const char *file, int line) {
-
- if(mode & CRYPTO_LOCK)
+ if (mode & CRYPTO_LOCK)
assert(pthread_mutex_lock( & ssl_mutex_table[n]) == 0);
else
assert(pthread_mutex_unlock( & ssl_mutex_table[n]) == 0);
-
}
@@ -949,19 +847,18 @@
* @return TRUE if non fatal, FALSE if non fatal and retry
*/
static int handle_error(int code, ssl_connection *ssl) {
-
- int ssl_error= SSL_get_error(ssl->handler, code);
+ int ssl_error = SSL_get_error(ssl->handler, code);
switch (ssl_error) {
case SSL_ERROR_WANT_READ:
- if(can_read(ssl->socket, SSL_TIMEOUT))
+ if (can_read(ssl->socket, SSL_TIMEOUT))
return TRUE;
LogError("%s: Openssl read timeout error!\n", prog);
break;
case SSL_ERROR_WANT_WRITE:
- if(can_read(ssl->socket, SSL_TIMEOUT))
+ if (can_read(ssl->socket, SSL_TIMEOUT))
return TRUE;
LogError("%s: Openssl write timeout error!\n", prog);
break;
@@ -989,33 +886,28 @@
* @param ssl ssl connection
*/
static void cleanup_ssl_socket(ssl_connection *ssl) {
-
- if(!ssl)
+ if (!ssl)
return;
- if(ssl->cert) {
+ if (ssl->cert) {
X509_free(ssl->cert);
- ssl->cert= NULL;
+ ssl->cert = NULL;
}
- if(ssl->handler) {
+ if (ssl->handler) {
SSL_free(ssl->handler);
- ssl->handler= NULL;
+ ssl->handler = NULL;
}
- if(ssl->socket_bio) {
- /*
- * no BIO_free(ssl->socket_bio); necessary, because BIO is freed
- * by ssl->handler
- */
- ssl->socket_bio= NULL;
+ if (ssl->socket_bio) {
+ /* no BIO_free(ssl->socket_bio); necessary, because BIO is freed by
ssl->handler */
+ ssl->socket_bio = NULL;
}
FREE(ssl->cert_issuer);
FREE(ssl->cert_subject);
FREE(ssl->cert_md5);
FREE(ssl->clientpemfile);
-
}
@@ -1024,19 +916,17 @@
* @param ssl_server data for ssl server connection
*/
static void cleanup_ssl_server_socket(ssl_server_connection *ssl_server) {
-
- if(!ssl_server)
+ if (!ssl_server)
return;
FREE(ssl_server->pemfile);
FREE(ssl_server->clientpemfile);
- while(ssl_server->ssl_conn_list) {
+ while (ssl_server->ssl_conn_list) {
ssl_connection *ssl = ssl_server->ssl_conn_list;
ssl_server->ssl_conn_list = ssl_server->ssl_conn_list->next;
close_accepted_ssl_socket(ssl_server, ssl);
}
-
}
@@ -1046,27 +936,25 @@
* @return TRUE, if not successful FALSE
*/
static int update_ssl_cert_data(ssl_connection *ssl) {
-
unsigned char md5[EVP_MAX_MD_SIZE];
ASSERT(ssl);
- if(!(ssl->cert = SSL_get_peer_certificate(ssl->handler)))
+ if (!(ssl->cert = SSL_get_peer_certificate(ssl->handler)))
***The diff for this file has been truncated for email.***
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [monit-dev] [monit] r314 committed - disable ssl session cache,
monit <=