- marked as enhancement
- marked as minor
Several TLS issues
Issue #509
resolved
The TLS options config section allows various useful options, however, it's missing some important ones:
- prefer server cipher order
- cipher list
- disable Secure Client-Initiated Renegotiation
Nice-to-have options would be to allow the use of ECC (ECDSA) certificates, since they are smaller, stronger, and faster - there are some mentions of these in the release notes, but no comments in the documentation about how to use multiple certificates (e.g. RSA and ECC) for browser compatibility.
Testing monit with testssl.sh shows all these problems quite clearly.
Comments (5)
-
repo owner
-
reporter
I should have mentioned - those three I listed are considered security vulnerabilities because they may allow attackers to intercept, downgrade, expose and otherwise interfere with supposedly secure traffic.
-
repo owner
Monit uses currently the following hardcoded ciphers string for both client and server role:
ALL:!DES:!RC4:!aNULL:!LOW:!EXP:!IDEA:!MD5:@STRENGTHVulnerable ciphers are disabled by default. It's true the option to override this cipher list without recompilation is not present currently (we plan to add it), but it's not vulnerability.
-
reporter
Thanks for the info.
-
repo owner
- changed status to resolved
New: The Monit HTTP interface now allows to set the SSL/TLS version as well. The syntax follows the generic SSL/TLS options settings, which was introduced in Monit 5.15, example:
set httpd port 2812 with ssl { pemfile: /etc/ssl/certs/monit.pem version: TLSv12 } allow admin:monitNew: The SSL 3DES ciphers are disabled by default now (vulnerable to Sweet32 attacks).
Fixed Issue
#509: Added support to override the SSL/TLS ciphers list and enabled server-side ciphers preference. Example (using monit's default ciphers string):set ssl { ciphers: "ALL:!DES:!3DES:!RC4:!aNULL:!LOW:!EXP:!IDEA:!MD5:@STRENGTH" }Fixed Issue
#510: The "set ssl" options defaults had no effect on the Monit HTTPD interface.→ <<cset eb2f060d1356>>
- Log in to comment