tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-08-26 12:08:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
11,607 Commits 275 Branches 124 Tags
Commit Graph

116 Commits

Author SHA1 Message Date
Julian Brost
c510fe4dfe Verify certificates against CRL before renewing them 
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
 2020-12-15 10:38:37 +01:00
Julian Brost
905cf5aa65 Use ERR_error_string_n() instead of ERR_error_string() 
Explicitly pass the actual length of the buffer to avoid overflows.
 2020-12-09 12:23:07 +01:00
Julian Brost
3b37867d2e Increase size of buffer for OpenSSL error messages 
According to man 3 ERR_error_string, "buf must be at least 256 bytes
long", therefore increase the buffer size to 256 everywhere.
 2020-12-09 12:23:07 +01:00
Julian Brost
64a49ee3a1 Remove std::string to_string(const errinfo_openssl_error& e) 
The function was never used and it's implementation contains a bug where
a buffer of too small size is used as a paramter to ERR_error_string.
According to the `man 3 ERR_error_info`, the buffer has to be at least
256 bytes in size.

Also the function seems of limited use as it allows to output the tag
object used with additional error information for exceptions in Boost.
However, you boost::get_error_info<>() just returns the value type but
not the full tag object from the exception.
 2020-12-09 12:22:52 +01:00
Michael Friedrich
0fd2fc0a4f Only include SSL_CTX_set_ecdh_auto for OpenSSL < 1.1.0 2019-07-23 17:39:02 +02:00
Michael Friedrich
6682a427d4 TLS: Ensure to specify options in one place 
`SetTlsProtocolminToSSLContext()` may have overridden
previous flags.

refs #7277

refs #7041
refs #7211
 2019-07-15 13:29:55 +02:00
Michael Friedrich
524e2368be Respect OpenSSL 1.1.0 vs older 2019-07-12 14:56:08 +02:00
Michael Friedrich
32d288f243 TLS: Fetch the cipher list and log them for debugging 2019-07-12 14:39:17 +02:00
Alexander A. Klimov
6568017658 Use SSL_CTX_set_ecdh_auto only if available 
refs #7280
 2019-07-04 13:05:31 +02:00
Michael Friedrich
9c92368774 SSL Context: Explicitly load ECC ciphers on el7 
Otherwise curl/nss as client won't be able to use the
new default cipher list.

fixes #7247
 2019-06-18 14:58:19 +02:00
Michael Friedrich
146b337d4d
Merge pull request #7211 from Icinga/feature/asio-tls-version 
Require TLS 1.2 for Cluster & REST API
 2019-06-03 16:19:22 +02:00
Michael Friedrich
d82c067555 Require TLS 1.2 for Cluster & REST API 
refs #7041
 2019-05-29 17:08:36 +02:00
Michael Friedrich
ba44c3921c Quality: Remove old MakeSSLContext() interface 2019-05-28 13:03:34 +02:00
Elias Ohm
e75f063552 bring some things in line 
- account for documented buffer size openssl 1.1.x for error string (>=256 bytes)
- use nullptr instead of NULL
- fix/streamline null-checks
 2019-05-09 00:22:24 +02:00
Jean Flach
9a0d894f10 Don't use deprecated RSA_generate_key 
fixes #4635
 2019-05-08 23:46:31 +02:00
Alexander A. Klimov
2615967e7f Make ApiListener#m_SSLContext a Boost ASIO SSL context 2019-04-01 11:40:14 +02:00
Michael Friedrich
d14a88235d Replace Copyright header with a short version, part I 
CLion -> replace in path
 2019-02-25 14:48:22 +01:00
Michael Friedrich
dab53448bc icinga.com: Update *.{h,c}pp 2018-10-18 09:27:04 +02:00
Gunnar Beutner
e678fa1aa5 Refactor Application::*Const() 2018-08-13 15:27:05 +02:00
Markus Frosch
9fbc40615a Improve path handling in cmake and daemon 2018-08-07 14:10:26 +02:00
Michael Friedrich
2fd6709952 Remove ApiUser password_hash functionality 
This affects and fixes

- Windows reload
- Config validation
- RHEL 7.5 OpenSSL memory corruption
- Hash algorithm, requested changes

refs #6378
refs #6279
refs #6278
 2018-06-19 11:32:03 +02:00
Jean Flach
08a14cd136 Ensure that password hash generation from OpenSSL is atomic 
This is supposed to solve a problem with segfaults caused by
race conditions withing the random byte generation of OpenSSL.

fixes #6279
 2018-05-23 10:55:14 +02:00
Michael Friedrich
1102f60b43 Revert "Implement support for ECC certificates" 
This reverts commit 10691db5b1297caaff15a2470575d34c29bd00e2.

refs #5555
refs #6200
 2018-05-02 16:54:07 +02:00
Jean Flach
0a0795f09d Code style 2018-02-16 11:47:13 +01:00
Jean Flach
65a806f5dc Move new password functions into tlsutility 2018-02-15 13:09:22 +01:00
Jean Flach
92e2faaa08 Hash API password and comparison 
fixes #4920
 2018-02-15 13:09:22 +01:00
Gunnar Beutner
f05459b40c Move inline functions to their .cpp files 2018-01-04 12:24:58 +01:00
Gunnar Beutner
e0c350b8a5 Apply clang-tidy fix 'modernize-use-nullptr' 2018-01-04 12:24:57 +01:00
Gunnar Beutner
e3ad0be769 Apply clang-tidy fix 'modernize-use-auto' 2018-01-04 12:24:57 +01:00
Gunnar Beutner
ac155d1dda Apply clang-tidy fix 'modernize-redundant-void-arg' 2018-01-04 12:24:57 +01:00
Michael Insel
158ae2188e Change copyright header for 2018 2018-01-02 12:08:55 +01:00
Jean Flach
2636e6a77a Whitespace fix 
What does this change?
* Remove use of spaces for formatting
These could be found by using `grep -r -l -P '^\t+ +[^*]'
* Removal of training whitespaces
* A few lines longer than 120 chars
 2017-12-20 14:53:52 +01:00
Gunnar Beutner
1ad83886ac Replace a few more NULLs with nullptr 2017-12-14 15:37:20 +01:00
Gunnar Beutner
42744fde5b Remove extraneous whitespace 2017-12-14 08:50:09 +01:00
Gunnar Beutner
6d09efc907 Use std::shared_ptr instead of boost::shared_ptr 2017-11-30 17:41:00 +01:00
Gunnar Beutner
6b3931973e
Merge pull request #5555 from Icinga/feature/ecc-certs 
Implement support for ECC certificates
 2017-11-27 15:11:04 +01:00
Michael Friedrich
9a04a99400 Merge pull request #5554 from Icinga/feature/cn-check-for-san 
Add subjectAltName extension for all non-CA certificates
 2017-10-10 17:50:01 +02:00
Gunnar Beutner
774936bfe8 Implement support for pki::UpdateCertificate messages 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
0ec07bce51 Implement support for updating client certificates 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
abdd4b307b Implement the 'ca list' and 'ca sign' CLI commands 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
510e2d622a Implement support for ticket-less certificate requests 
refs #5450
 2017-09-12 12:52:49 +02:00
Gunnar Beutner
10691db5b1 Implement support for ECC certificates 2017-09-06 12:29:30 +02:00
Gunnar Beutner
3385122bc3 Add subjectAltName extension for all non-CA certificates 2017-09-06 12:25:36 +02:00
Michael Friedrich
79c45ea811 Build fix for OpenSSL 0.9.8 and stack_st_X509_EXTENSION 2017-05-26 13:16:20 +02:00
Gunnar Beutner
b366483466 Add subjectAltName X509 ext for certificate requests 2017-05-11 15:38:17 +02:00
Gunnar Beutner
0c25d14d0c Fix crash in SHA1 
refs #4991
 2017-03-29 10:17:03 +02:00
Michael Friedrich
0b466aabc0 Start working on checksum config dump 
refs #4991
 2017-03-29 10:17:03 +02:00
Sebastian Marsching
118d36f384 Fixed return code check in CRL loading 
The code for loading CRLs was incorrectly assuming that OpenSSL's
X509_LOOKUP_load_file function returns zero on success, but actually it
returns one on success. This commit fixes this return code check so
that a CRL can be loaded.

fixes #5040

Signed-off-by: Gunnar Beutner <gunnar.beutner@icinga.com>
 2017-02-28 14:08:24 +01:00
Michael Friedrich
b7caf0820d Ensure that *.icinga.com is used everywhere 
fixes #13897
fixes #13277
 2017-01-10 17:19:12 +01:00
Gunnar Beutner
0df4b4edfb Fix incorrect #ifdef 
fixes #12749
 2016-09-28 08:30:47 +02:00