"set ssl" version option has no effect for Monit HTTP interface ("set httpd")

Issue #510 resolved
Marcus Bointon created an issue

I have this set in my config:

set ssl options {
  verify: enable
  version: TLSV12

But it still allows TLS 1.0 and 1.1 when I test it:

Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

SSLv2               not offered (OK)
SSLv3               not offered (OK)
TLS 1               offered
TLS 1.1             offered
TLS 1.2             offered (OK)
Version tolerance   downgraded to TLSv1.2 (OK)
SPDY/NPN            not offered
HTTP2/ALPN          not offered

Testing a bit further, I couldn't get this version parameter to change anything at all - all the documented values produced the same result.

Have I done something wrong or is this a bug?

Comments (5)

  1. Tildeslash repo owner

    The "set ssl" statement currently controls only the client role - the "set httpd" statement doesn't share "set ssl" settings and has its own limited ssl options set.

    We'll fix

  2. Tildeslash repo owner

    New: The Monit HTTP interface now allows to set the SSL/TLS version as well. The syntax follows the generic SSL/TLS options settings, which was introduced in Monit 5.15, example:

    set httpd port 2812
        with ssl {
           pemfile: /etc/ssl/certs/monit.pem
           version: TLSv12
        allow admin:monit

    New: The SSL 3DES ciphers are disabled by default now (vulnerable to Sweet32 attacks).

    Fixed Issue #509: Added support to override the SSL/TLS ciphers list and enabled server-side ciphers preference. Example (using monit's default ciphers string):

    set ssl {
        ciphers: "ALL:!DES:!3DES:!RC4:!aNULL:!LOW:!EXP:!IDEA:!MD5:@STRENGTH"

    Fixed Issue #510: The "set ssl" options defaults had no effect on the Monit HTTPD interface.

    → <<cset eb2f060d1356>>

  3. Log in to comment