[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL
|
From: |
Christian Hopp |
|
Subject: |
Re: SSL |
|
Date: |
Fri, 11 Oct 2002 18:47:51 +0200 (CEST) |
On 11 Oct 2002, Jan-Henrik Haukeland wrote:
> Christian Hopp <address@hidden> writes:
>
> > Hi!
> >
> > There is a new feature for monit-ssl,
> >
> > you CAN specify a "client ssl pem file". That means... monit would
> > only allow connection if the client supplies a cert fitting a cert in
> > the "client ssl file" => You need a password AND a sufficient
> > cert/private key combination on the client for a successful connection!
> >
> > I hope it makes sense??? I am getting confused already with all that
> > keys and certs. (-:
> >
> > But it works... that means... monit status (et. al.) connects with
> > proper client cert and is accepted by monit. As long as:
> >
> > - the client cert has the right "purpose"... of course "client"
> >
> > - if the cert is CA certified you have to supply the cert of the ca
> > within the "client ssl pem file"
> >
> > - for cli support monit uses it's own server privkey+cert
> >
> > So what I don't know is... should we treat self certified certificates
> > as errors or should we allow them. For openssl it's an error which
> > could be overridden! Right now monit would throw a warning to the log
> > but allows the connection.
> >
> > What do you think... should I commit?
>
> I'm not sure I got all that. Do you mean that monit should only accept
> connections to its http server if the client sends a valid ca signed
> certificate? I'm not sure, maybe, probably. The safest is to leave it
> as a monitrc configure option. (Since not all have a CA signed cert
> and will have to make up their own it could be a problem for a monit
> client to speak with a monit daemon over SSL to get status and such)
>
This only happens if you turn on client pem files. If not monit does not
need any client side certificates. I can put a statement like
"allowselfcertification" (or what ever term) to allow self certified
certificates.
Anyways, somebody should tidy up the "set httpd" statement. Because
everything is right now order dependent. )-: Unfortunatly I go on
vacation for the next week, if please somebody else could do me the
favor of tiding it up. (-:
Christian
--
Christian Hopp email: address@hidden
Institut für Elektrische Informationstechnik fon: +49-5323-72-2113
Technische Universität Clausthal fax: +49-5323-72-3197
pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc (2001-11-22)
- SSL, Christian Hopp, 2002/10/11
- Re: SSL, Jan-Henrik Haukeland, 2002/10/11
- Re: SSL,
Christian Hopp <=
- Re: SSL, Jan-Henrik Haukeland, 2002/10/11
- Re: SSL, Christian Hopp, 2002/10/11
- Re: SSL, rory, 2002/10/11