- changed title to ssl version option has no effect
"set ssl" version option has no effect for Monit HTTP interface ("set httpd")
Issue #510
resolved
I have this set in my config:
set ssl options { verify: enable version: TLSV12 }
But it still allows TLS 1.0 and 1.1 when I test it:
Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) Version tolerance downgraded to TLSv1.2 (OK) SPDY/NPN not offered HTTP2/ALPN not offered
Testing a bit further, I couldn't get this version parameter to change anything at all - all the documented values produced the same result.
Have I done something wrong or is this a bug?
Comments (5)
-
reporter
-
repo owner
The "set ssl" statement currently controls only the client role - the "set httpd" statement doesn't share "set ssl" settings and has its own limited ssl options set.
We'll fix
-
repo owner
- changed title to "set ssl" version option has no effect for Monit HTTP interface ("set httpd")
-
assigned issue to
Tildeslash
-
repo owner
- changed status to resolved
New: The Monit HTTP interface now allows to set the SSL/TLS version as well. The syntax follows the generic SSL/TLS options settings, which was introduced in Monit 5.15, example:
set httpd port 2812 with ssl { pemfile: /etc/ssl/certs/monit.pem version: TLSv12 } allow admin:monit
New: The SSL 3DES ciphers are disabled by default now (vulnerable to Sweet32 attacks).
Fixed Issue
#509: Added support to override the SSL/TLS ciphers list and enabled server-side ciphers preference. Example (using monit's default ciphers string):set ssl { ciphers: "ALL:!DES:!3DES:!RC4:!aNULL:!LOW:!EXP:!IDEA:!MD5:@STRENGTH" }
Fixed Issue
#510: The "set ssl" options defaults had no effect on the Monit HTTPD interface.→ <<cset eb2f060d1356>>
-
reporter
Thanks
- Log in to comment
