Re: SSL

[Jan-Henrik Haukeland]

Christian Hopp <address@hidden> writes:

> Hi!
> 
> There is a new feature for monit-ssl,
> 
> you CAN specify a "client ssl pem file".  That means... monit would
> only allow connection if the client supplies a cert fitting a cert in
> the "client ssl file" => You need a password AND a sufficient
> cert/private key combination on the client for a successful connection!
> 
> I hope it makes sense???  I am getting confused already with all that
> keys and certs. (-:
> 
> But it works... that means... monit status (et. al.) connects with
> proper client cert and is accepted by monit.  As long as:
> 
> - the client cert has the right "purpose"... of course "client"
> 
> - if the cert is CA certified you have to supply the cert of the ca
>   within the "client ssl pem file"
> 
> - for cli support monit uses it's own server privkey+cert
> 
> So what I don't know is... should we treat self certified certificates
> as errors or should we allow them.  For openssl it's an error which
> could be overridden!  Right now monit would throw a warning to the log
> but allows the connection.
> 
> What do you think... should I commit?

I'm not sure I got all that. Do you mean that monit should only accept
connections to its http server if the client sends a valid ca signed
certificate? I'm not sure, maybe, probably. The safest is to leave it
as a monitrc configure option. (Since not all have a CA signed cert
and will have to make up their own it could be a problem for a monit
client to speak with a monit daemon over SSL to get status and such)

-- 
Jan-Henrik Haukeland