[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ssl: unsafe legacy renegotiation
|
From: |
address@hidden |
|
Subject: |
Re: ssl: unsafe legacy renegotiation |
|
Date: |
Thu, 9 Feb 2023 22:11:10 +0100 |
> On 9. 2. 2023, at 20:22, sashk via This is the general mailing list for monit
> <monit-general@nongnu.org> wrote:
>
> Hi,
>
>> Google the error and solution. Either update SSL on the cable modem “server”
>> if you can or modify Monit (the client) yourself.
>
>
> Upgrading ssl is not possible on cable modem, therefore as I stated in my
> original email:
>>> It seems re-configuring OpenSSL it is possible to do systemwide, but I
>>> would like to avoid doing so.
>
> I was hoping there is a way, similar to ssl options {version: TLSV1,... } to
> enable this setting just for this particular check in monit, not systemwide,
> as this opens system to CVE-2009-3555.
>
> Thanks.
Yes, that is possible, see snip from Monit 5.27.0:
--8<--
Version 5.27.0
Important: (Backward compatibility impact) The SSL "version: auto" now
defaults to TLSv1.2 and TLSv1.3 only.
If you need to enable TLSv1.0 or TLSv1.1 (regardless of how insecure it is),
you have to explicitly enable it
via the SSL option, example: set ssl {
version: tlsv11
}
--8<--
Cheers,
Martin