Julian Brost
a2e05f89e8
Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers
...
Non-ECC DHE ciphers in the `cipher_list` attribute of `ApiListener` (the
default value includes these) had no effect as no DH parameters were available
and therefore the server wouldn't offer these ciphers. OpenSSL provides
built-in DH parameters starting from version 1.1.0, however, these have to be
enables explicitly using the `SSL_CTX_set_dh_auto()` function. This commit does
so and thereby makes it possible to establish a connection to an Icinga 2
server using a DHE cipher.
2023-06-29 12:06:26 +02:00
Julian Brost
b24a2fa2a5
Merge pull request #9179 from Icinga/Al2Klimov-patch-3
...
Let new cluster certificates expire after 397 days, not 15 years
2022-04-11 15:29:05 +02:00
Alexander A. Klimov
e490883577
Renew certificates also periodically
2022-04-11 11:02:39 +02:00
Alexander A. Klimov
9be2eb8e5e
Introduce IsCertUptodate()
2022-03-29 16:47:23 +02:00
Alexander A. Klimov
e06b631f3a
Let new cluster certificates expire after 397 days, not 15 years
...
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf , section 6.3.2:
"Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days."
2022-03-29 16:47:23 +02:00
Yonas Habteab
a0607aceff
Fix compiler warnings don't move local variables
2022-02-22 17:51:43 +01:00
Julian Brost
6cd3a483a0
tlsutility: move hex encoding into a separate function BinaryToHex
2021-11-05 14:14:37 +01:00
Alexander A. Klimov
37e53eaa68
Icinga DB: support TLS
2021-07-22 14:34:07 +02:00
Alexander A. Klimov
80a1128ec7
Introduce SetupSslContext()
2021-07-22 11:12:33 +02:00
Alexander A. Klimov
fbcaf82e3e
InitSslContext(): fall back to default root CAs
2021-07-22 11:12:33 +02:00
Alexander A. Klimov
2728603c29
Rename SetupSslContext() to InitSslContext()
2021-07-22 11:12:33 +02:00
Julian Brost
0e7a05ad7a
Support TLS 1.3
2021-06-29 11:08:47 +02:00
Julian Brost
2a2229a49b
Don't use sprintf for SHA1 to hex conversion
2021-03-19 10:31:01 +01:00
Alexander A. Klimov
c3388e9af6
Use std::mutex, not boost::mutex
2021-02-03 09:54:57 +01:00
Noah Hilverling
f7e368564f
Merge pull request from GHSA-pcmr-2p2f-r7j6
...
Verify certificates against CRL before renewing them (2.13)
2020-12-15 12:30:19 +01:00
Julian Brost
e86bd24348
Verify certificates against CRL before renewing them
...
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
2020-12-09 12:10:59 +01:00
Julian Brost
bbfd1ecfc8
Use ERR_error_string_n() instead of ERR_error_string()
...
Explicitly pass the actual length of the buffer to avoid overflows.
2020-12-08 13:08:18 +01:00
Julian Brost
c0fc9a86c5
Increase size of buffer for OpenSSL error messages
...
According to man 3 ERR_error_string, "buf must be at least 256 bytes
long", therefore increase the buffer size to 256 everywhere.
2020-12-08 13:08:18 +01:00
Julian Brost
61d7ec4bf7
Remove std::string to_string(const errinfo_openssl_error& e)
...
The function was never used and it's implementation contains a bug where
a buffer of too small size is used as a paramter to ERR_error_string.
According to the `man 3 ERR_error_info`, the buffer has to be at least
256 bytes in size.
Also the function seems of limited use as it allows to output the tag
object used with additional error information for exceptions in Boost.
However, you boost::get_error_info<>() just returns the value type but
not the full tag object from the exception.
2020-12-08 13:05:38 +01:00
Michael Friedrich
06d0c3ea4e
Merge pull request #7843 from Icinga/feature/cli-pki-verify
...
CLI: Add `pki verify` command for better TLS certificate troubleshooting
2020-02-25 09:07:24 +01:00
Michael Friedrich
fdb13d1b7d
TlsUtility: Replace deprecated OpenSSL function with ASN1_STRING_get0_data()
2020-02-21 13:02:58 +01:00
Michael Friedrich
548eb933c9
TlsUtility: Add getters for version, signature algorithm, SANs
2020-02-17 17:42:20 +01:00
Henrik Triem
099cc5d8df
Merge pull request #7833 from Icinga/feature/version-build-info-openssl
...
CLI: Add OpenSSL version to 'Build' section in --version
2020-02-17 17:07:51 +01:00
Michael Friedrich
71c7eebe4e
CLI: Add OpenSSL version to 'Build' section in --version
...
This helps to see against which OpenSSL version Icinga was built.
Inspired by #5572
2020-02-14 08:55:39 +01:00
Michael Friedrich
a7436394cd
TlsUtility: Add IsCa() function to verify given certificate being a CA certificate
2020-02-13 16:03:43 +01:00
Alexander A. Klimov
ba1ce9c853
Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr
2019-10-21 16:12:46 +02:00
Michael Friedrich
0fd2fc0a4f
Only include SSL_CTX_set_ecdh_auto for OpenSSL < 1.1.0
2019-07-23 17:39:02 +02:00
Michael Friedrich
6682a427d4
TLS: Ensure to specify options in one place
...
`SetTlsProtocolminToSSLContext()` may have overridden
previous flags.
refs #7277
refs #7041
refs #7211
2019-07-15 13:29:55 +02:00
Michael Friedrich
524e2368be
Respect OpenSSL 1.1.0 vs older
2019-07-12 14:56:08 +02:00
Michael Friedrich
32d288f243
TLS: Fetch the cipher list and log them for debugging
2019-07-12 14:39:17 +02:00
Alexander A. Klimov
6568017658
Use SSL_CTX_set_ecdh_auto only if available
...
refs #7280
2019-07-04 13:05:31 +02:00
Michael Friedrich
9c92368774
SSL Context: Explicitly load ECC ciphers on el7
...
Otherwise curl/nss as client won't be able to use the
new default cipher list.
fixes #7247
2019-06-18 14:58:19 +02:00
Michael Friedrich
146b337d4d
Merge pull request #7211 from Icinga/feature/asio-tls-version
...
Require TLS 1.2 for Cluster & REST API
2019-06-03 16:19:22 +02:00
Michael Friedrich
d82c067555
Require TLS 1.2 for Cluster & REST API
...
refs #7041
2019-05-29 17:08:36 +02:00
Michael Friedrich
ba44c3921c
Quality: Remove old MakeSSLContext() interface
2019-05-28 13:03:34 +02:00
Elias Ohm
e75f063552
bring some things in line
...
- account for documented buffer size openssl 1.1.x for error string (>=256 bytes)
- use nullptr instead of NULL
- fix/streamline null-checks
2019-05-09 00:22:24 +02:00
Jean Flach
9a0d894f10
Don't use deprecated RSA_generate_key
...
fixes #4635
2019-05-08 23:46:31 +02:00
Alexander A. Klimov
2615967e7f
Make ApiListener#m_SSLContext a Boost ASIO SSL context
2019-04-01 11:40:14 +02:00
Michael Friedrich
d14a88235d
Replace Copyright header with a short version, part I
...
CLion -> replace in path
2019-02-25 14:48:22 +01:00
Michael Friedrich
dab53448bc
icinga.com: Update *.{h,c}pp
2018-10-18 09:27:04 +02:00
Gunnar Beutner
e678fa1aa5
Refactor Application::*Const()
2018-08-13 15:27:05 +02:00
Markus Frosch
9fbc40615a
Improve path handling in cmake and daemon
2018-08-07 14:10:26 +02:00
Michael Friedrich
2fd6709952
Remove ApiUser password_hash functionality
...
This affects and fixes
- Windows reload
- Config validation
- RHEL 7.5 OpenSSL memory corruption
- Hash algorithm, requested changes
refs #6378
refs #6279
refs #6278
2018-06-19 11:32:03 +02:00
Jean Flach
08a14cd136
Ensure that password hash generation from OpenSSL is atomic
...
This is supposed to solve a problem with segfaults caused by
race conditions withing the random byte generation of OpenSSL.
fixes #6279
2018-05-23 10:55:14 +02:00
Michael Friedrich
1102f60b43
Revert "Implement support for ECC certificates"
...
This reverts commit 10691db5b1
.
refs #5555
refs #6200
2018-05-02 16:54:07 +02:00
Jean Flach
0a0795f09d
Code style
2018-02-16 11:47:13 +01:00
Jean Flach
65a806f5dc
Move new password functions into tlsutility
2018-02-15 13:09:22 +01:00
Jean Flach
92e2faaa08
Hash API password and comparison
...
fixes #4920
2018-02-15 13:09:22 +01:00
Gunnar Beutner
f05459b40c
Move inline functions to their .cpp files
2018-01-04 12:24:58 +01:00
Gunnar Beutner
e0c350b8a5
Apply clang-tidy fix 'modernize-use-nullptr'
2018-01-04 12:24:57 +01:00