monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug since upgrade and documentation

From: address@hidden
Subject: Re: Bug since upgrade and documentation
Date: Tue, 21 Jul 2020 08:42:43 +0200 
Hi,

the monit 5.27.0 enables just TLS 1.2 or later by default (even if the version 
is "auto"). It seems that the OpenSSL library on CentOS doesn't support it, you 
can enable e.g. TLS 1.1 explicitly this way:

     set ssl {
        version: tlsv11
     }


Best regards,
Martin


> On 20 Jul 2020, at 16:33, Guillaume François <guillaume.francois55@gmail.com> 
> wrote:
> 
> To add some detail, we tried on another host OS (Ubuntu 20.04) while the 
> problematic one is CentOS , and it was working fine
> 
> Same binary but another OpenSSL stack probably.
> -------------------------------------
> This is Monit version 5.27.0
> Built with ssl, with ipv6, with compression, with pam and with large files
> Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved.
> -------------------------------------
> 
> --------------------------------------
> Remote Host '*******'
>   status                       OK
>   monitoring status            Monitored
>   monitoring mode              active
>   on reboot                    start
>   port response time           114.394 ms to *******:443 type TCP/IP using 
> TLS (certificate valid for 104 days) protocol HTTP
>   data collected               Mon, 20 Jul 2020 16:30:06
> -----------------------------------------
> 
> Best regards.
> 
> Le lun. 20 juil. 2020 à 16:26, Guillaume François 
> <guillaume.francois55@gmail.com> a écrit :
> Hello,
> 
> Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue with 
> certificate verification.
> 
> It seems broken as it cannot maanged to retrieve the certificate expiration 
> and it warn about a self signed certificate when it is not the case.
> 
> We are using the linux-x64 binary version from the website.
> 
> We have two rules:
> ------------------------------------------
> if failed port 443 protocol https with ssl options {verify: enable} and 
> certificate valid > 10 days for 5 cycles then alert
> if failed port 443 protocol https request "/" with content ="xxxxxxx" for 5 
> cycles then alert
> -------------------------------------------
> 
> We tried to change the part "with ssl options {verify: enable}" to "with ssl 
> options {selfsigned: allow}" without any success.
> 
> Also regarding the documentation enhancement, we had to put the part "with 
> ssl options {selfsigned: allow}" after the part 'request "/" with content 
> ="xxxxxxx"' else Monit configuration syntax was failing. It would be good to 
> provide a sample in documentation.
> 
> In the global configuration file, the ssl setting was set to
> 
> set ssl {
>      verify     : enable,
> }
> 
> We tried to add the new parameter "version" but it doesn't solved the issue.
> 
> set ssl {
>      version: auto,
>      verify     : enable,
> }
> 
> Could anyone provide some guidance for this case ?
> 
> Best Regards.
> 
> 
> -- 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? 
> w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI 
> !D- G(+)>+ e+++ h--() r->$ y?*
> ------END GEEK CODE BLOCK------
reply via email to
[Prev in Thread] Current Thread [Next in Thread]