- changed title to ssl version option has no effect
"set ssl" version option has no effect for Monit HTTP interface ("set httpd")
Issue #510
resolved
I have this set in my config:
set ssl options {
verify: enable
version: TLSV12
}
But it still allows TLS 1.0 and 1.1 when I test it:
Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
Version tolerance downgraded to TLSv1.2 (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered
Testing a bit further, I couldn't get this version parameter to change anything at all - all the documented values produced the same result.
Have I done something wrong or is this a bug?
Comments (5)
-
reporter
-
repo owner
The "set ssl" statement currently controls only the client role - the "set httpd" statement doesn't share "set ssl" settings and has its own limited ssl options set.
We'll fix
-
repo owner
- changed title to "set ssl" version option has no effect for Monit HTTP interface ("set httpd")
-
assigned issue to
Tildeslash
-
repo owner
- changed status to resolved
New: The Monit HTTP interface now allows to set the SSL/TLS version as well. The syntax follows the generic SSL/TLS options settings, which was introduced in Monit 5.15, example:
set httpd port 2812 with ssl { pemfile: /etc/ssl/certs/monit.pem version: TLSv12 } allow admin:monitNew: The SSL 3DES ciphers are disabled by default now (vulnerable to Sweet32 attacks).
Fixed Issue
#509: Added support to override the SSL/TLS ciphers list and enabled server-side ciphers preference. Example (using monit's default ciphers string):set ssl { ciphers: "ALL:!DES:!3DES:!RC4:!aNULL:!LOW:!EXP:!IDEA:!MD5:@STRENGTH" }Fixed Issue
#510: The "set ssl" options defaults had no effect on the Monit HTTPD interface.→ <<cset eb2f060d1356>>
-
reporter
Thanks
- Log in to comment
