tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-04-08 17:05:25 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,049 Commits 421 Branches 120 Tags
Commit Graph

63 Commits

Author SHA1 Message Date
Alexander A. Klimov
551c3afa60 CertificateToString(): allow raw pointer input 2023-12-18 15:28:11 +01:00
Alexander A. Klimov
7b55df6f11 CreateCertIcingaCA(EVP_PKEY*, X509_NAME*): enable optional CA creation 2023-12-18 15:28:11 +01:00
Alexander A. Klimov
74f52c6fcd Introduce IsCaUptodate() by splitting IsCertUptodate() 2023-12-13 12:08:34 +01:00
Alexander A. Klimov
617dda61fb Re-order global default TLS cipher list to prefer AES256 over AES128 2023-07-03 15:36:11 +02:00
Alexander A. Klimov
2e053b0e06 Copy and paste global default TLS cipher set from ssl-config.mozilla.org 
which got more secure by now, but still overlaps with v2.13.x' set.
 2023-06-28 14:49:08 +02:00
Alexander A. Klimov
e490883577 Renew certificates also periodically 2022-04-11 11:02:39 +02:00
Alexander A. Klimov
9be2eb8e5e Introduce IsCertUptodate() 2022-03-29 16:47:23 +02:00
Julian Brost
6cd3a483a0 tlsutility: move hex encoding into a separate function BinaryToHex 2021-11-05 14:14:37 +01:00
Alexander A. Klimov
504fdda76c Introduce DEFAULT_CONNECT_TIMEOUT 2021-07-27 21:57:02 +02:00
Alexander A. Klimov
7f7637c9b8 Introduce DEFAULT_TLS_CIPHERS and DEFAULT_TLS_PROTOCOLMIN 2021-07-22 11:12:33 +02:00
Alexander A. Klimov
80a1128ec7 Introduce SetupSslContext() 2021-07-22 11:12:33 +02:00
Julian Brost
0e7a05ad7a Support TLS 1.3 2021-06-29 11:08:47 +02:00
Noah Hilverling
f7e368564f
Merge pull request from GHSA-pcmr-2p2f-r7j6 
Verify certificates against CRL before renewing them (2.13)
 2020-12-15 12:30:19 +01:00
Julian Brost
e86bd24348 Verify certificates against CRL before renewing them 
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
 2020-12-09 12:10:59 +01:00
Julian Brost
61d7ec4bf7 Remove std::string to_string(const errinfo_openssl_error& e) 
The function was never used and it's implementation contains a bug where
a buffer of too small size is used as a paramter to ERR_error_string.
According to the `man 3 ERR_error_info`, the buffer has to be at least
256 bytes in size.

Also the function seems of limited use as it allows to output the tag
object used with additional error information for exceptions in Boost.
However, you boost::get_error_info<>() just returns the value type but
not the full tag object from the exception.
 2020-12-08 13:05:38 +01:00
Michael Friedrich
06d0c3ea4e
Merge pull request #7843 from Icinga/feature/cli-pki-verify 
CLI: Add `pki verify` command for better TLS certificate troubleshooting
 2020-02-25 09:07:24 +01:00
Michael Friedrich
548eb933c9 TlsUtility: Add getters for version, signature algorithm, SANs 2020-02-17 17:42:20 +01:00
Henrik Triem
099cc5d8df
Merge pull request #7833 from Icinga/feature/version-build-info-openssl 
CLI: Add OpenSSL version to 'Build' section in --version
 2020-02-17 17:07:51 +01:00
Michael Friedrich
71c7eebe4e CLI: Add OpenSSL version to 'Build' section in --version 
This helps to see against which OpenSSL version Icinga was built.
Inspired by #5572
 2020-02-14 08:55:39 +01:00
Michael Friedrich
a7436394cd TlsUtility: Add IsCa() function to verify given certificate being a CA certificate 2020-02-13 16:03:43 +01:00
Alexander A. Klimov
ba1ce9c853 Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr 2019-10-21 16:12:46 +02:00
Michael Friedrich
ba44c3921c Quality: Remove old MakeSSLContext() interface 2019-05-28 13:03:34 +02:00
Alexander A. Klimov
2615967e7f Make ApiListener#m_SSLContext a Boost ASIO SSL context 2019-04-01 11:40:14 +02:00
Michael Friedrich
d14a88235d Replace Copyright header with a short version, part I 
CLion -> replace in path
 2019-02-25 14:48:22 +01:00
Michael Friedrich
dab53448bc icinga.com: Update *.{h,c}pp 2018-10-18 09:27:04 +02:00
Michael Friedrich
2fd6709952 Remove ApiUser password_hash functionality 
This affects and fixes

- Windows reload
- Config validation
- RHEL 7.5 OpenSSL memory corruption
- Hash algorithm, requested changes

refs #6378
refs #6279
refs #6278
 2018-06-19 11:32:03 +02:00
Jean Flach
0a0795f09d Code style 2018-02-16 11:47:13 +01:00
Jean Flach
65a806f5dc Move new password functions into tlsutility 2018-02-15 13:09:22 +01:00
Jean Flach
92e2faaa08 Hash API password and comparison 
fixes #4920
 2018-02-15 13:09:22 +01:00
Gunnar Beutner
f05459b40c Move inline functions to their .cpp files 2018-01-04 12:24:58 +01:00
Gunnar Beutner
ac155d1dda Apply clang-tidy fix 'modernize-redundant-void-arg' 2018-01-04 12:24:57 +01:00
Gunnar Beutner
90496b5456 Build libraries as static libraries 2018-01-02 23:29:48 +01:00
Michael Insel
158ae2188e Change copyright header for 2018 2018-01-02 12:08:55 +01:00
Gunnar Beutner
1ad83886ac Replace a few more NULLs with nullptr 2017-12-14 15:37:20 +01:00
Gunnar Beutner
6d09efc907 Use std::shared_ptr instead of boost::shared_ptr 2017-11-30 17:41:00 +01:00
Gunnar Beutner
0ec07bce51 Implement support for updating client certificates 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
abdd4b307b Implement the 'ca list' and 'ca sign' CLI commands 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
510e2d622a Implement support for ticket-less certificate requests 
refs #5450
 2017-09-12 12:52:49 +02:00
Michael Friedrich
0b466aabc0 Start working on checksum config dump 
refs #4991
 2017-03-29 10:17:03 +02:00
Michael Friedrich
b7caf0820d Ensure that *.icinga.com is used everywhere 
fixes #13897
fixes #13277
 2017-01-10 17:19:12 +01:00
Gunnar Beutner
ec87b9e795 Use hash-based serial numbers for new certificates 
fixes #12453
 2016-08-16 15:03:01 +02:00
Uwe Ebel
b2ac05ad7d Make the minimum TLS protocol version configurable 
The ApiListener accepts all TLS versions that the underlying
OpenSSL library supports. This patch give the ability to restrict
the connection to a minimum TLS version.

fixes #11292

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>
 2016-08-03 07:46:50 +02:00
Uwe Ebel
1ca8b293cb Make the cipher list configurable for TLS streams 
fixes #11063

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>
 2016-07-18 13:40:00 +02:00
Gunnar Beutner
599929b0f6 Update copyright headers for 2016 2016-01-12 08:29:59 +01:00
Gunnar Beutner
c37a23ccba Implement the Icinga Studio application 
fixes #10042
 2015-08-31 07:50:01 +02:00
Gunnar Beutner
5a72eaa768 Make sure the serial number field is always initialized 
fixes #9947
 2015-08-18 15:05:53 +02:00
Michael Friedrich
78bfd0204c Update copyright year 2015-01-22 12:00:23 +01:00
Gunnar Beutner
c433284d27 Improve error reporting 
fixes #8136
refs #6070
 2014-12-20 15:29:04 +01:00
Gunnar Beutner
55b7f00382 Remove unnecessary includes 2014-12-15 10:16:06 +01:00
Gunnar Beutner
478f03b49a Replace boost::shared_ptr with boost::intrusive_ptr 
refs #7622
 2014-11-09 16:54:41 +01:00