tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-10-31 11:14:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
13,628 Commits 284 Branches 127 Tags
Commit Graph

143 Commits

Author SHA1 Message Date
Alexander Aleksandrovič Klimov
3ddbbebc63
Merge pull request #9946 from Icinga/2141backport 
Disable TLS renegotiation, bump Windows deps and fix Icinga DB crashes
 2023-12-20 12:40:41 +01:00
Alexander A. Klimov
ec77b6f1e3 Disable TLS renegotiation 
The API doesn't need it and a customer's security scanner
is afraid of a potential DoS attack vector.
 2023-12-20 10:14:00 +01:00
Alexander A. Klimov
6b000fbce6 CertificateToString(): allow raw pointer input 2023-12-18 17:04:59 +01:00
Alexander A. Klimov
0cb037c698 CreateCertIcingaCA(EVP_PKEY*, X509_NAME*): enable optional CA creation 2023-12-18 17:04:59 +01:00
Alexander A. Klimov
0f4723e567 Introduce IsCaUptodate() by splitting IsCertUptodate() 2023-12-18 17:04:59 +01:00
Julian Brost
a2e05f89e8 Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers 
Non-ECC DHE ciphers in the `cipher_list` attribute of `ApiListener` (the
default value includes these) had no effect as no DH parameters were available
and therefore the server wouldn't offer these ciphers. OpenSSL provides
built-in DH parameters starting from version 1.1.0, however, these have to be
enables explicitly using the `SSL_CTX_set_dh_auto()` function. This commit does
so and thereby makes it possible to establish a connection to an Icinga 2
server using a DHE cipher.
 2023-06-29 12:06:26 +02:00
Julian Brost
b24a2fa2a5
Merge pull request #9179 from Icinga/Al2Klimov-patch-3 
Let new cluster certificates expire after 397 days, not 15 years
 2022-04-11 15:29:05 +02:00
Alexander A. Klimov
e490883577 Renew certificates also periodically 2022-04-11 11:02:39 +02:00
Alexander A. Klimov
9be2eb8e5e Introduce IsCertUptodate() 2022-03-29 16:47:23 +02:00
Alexander A. Klimov
e06b631f3a Let new cluster certificates expire after 397 days, not 15 years 
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf, section 6.3.2:

"Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days."
 2022-03-29 16:47:23 +02:00
Yonas Habteab
a0607aceff Fix compiler warnings don't move local variables 2022-02-22 17:51:43 +01:00
Julian Brost
6cd3a483a0 tlsutility: move hex encoding into a separate function BinaryToHex 2021-11-05 14:14:37 +01:00
Alexander A. Klimov
37e53eaa68 Icinga DB: support TLS 2021-07-22 14:34:07 +02:00
Alexander A. Klimov
80a1128ec7 Introduce SetupSslContext() 2021-07-22 11:12:33 +02:00
Alexander A. Klimov
fbcaf82e3e InitSslContext(): fall back to default root CAs 2021-07-22 11:12:33 +02:00
Alexander A. Klimov
2728603c29 Rename SetupSslContext() to InitSslContext() 2021-07-22 11:12:33 +02:00
Julian Brost
0e7a05ad7a Support TLS 1.3 2021-06-29 11:08:47 +02:00
Julian Brost
2a2229a49b Don't use sprintf for SHA1 to hex conversion 2021-03-19 10:31:01 +01:00
Alexander A. Klimov
c3388e9af6 Use std::mutex, not boost::mutex 2021-02-03 09:54:57 +01:00
Noah Hilverling
f7e368564f
Merge pull request from GHSA-pcmr-2p2f-r7j6 
Verify certificates against CRL before renewing them (2.13)
 2020-12-15 12:30:19 +01:00
Julian Brost
e86bd24348 Verify certificates against CRL before renewing them 
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
 2020-12-09 12:10:59 +01:00
Julian Brost
bbfd1ecfc8 Use ERR_error_string_n() instead of ERR_error_string() 
Explicitly pass the actual length of the buffer to avoid overflows.
 2020-12-08 13:08:18 +01:00
Julian Brost
c0fc9a86c5 Increase size of buffer for OpenSSL error messages 
According to man 3 ERR_error_string, "buf must be at least 256 bytes
long", therefore increase the buffer size to 256 everywhere.
 2020-12-08 13:08:18 +01:00
Julian Brost
61d7ec4bf7 Remove std::string to_string(const errinfo_openssl_error& e) 
The function was never used and it's implementation contains a bug where
a buffer of too small size is used as a paramter to ERR_error_string.
According to the `man 3 ERR_error_info`, the buffer has to be at least
256 bytes in size.

Also the function seems of limited use as it allows to output the tag
object used with additional error information for exceptions in Boost.
However, you boost::get_error_info<>() just returns the value type but
not the full tag object from the exception.
 2020-12-08 13:05:38 +01:00
Michael Friedrich
06d0c3ea4e
Merge pull request #7843 from Icinga/feature/cli-pki-verify 
CLI: Add `pki verify` command for better TLS certificate troubleshooting
 2020-02-25 09:07:24 +01:00
Michael Friedrich
fdb13d1b7d TlsUtility: Replace deprecated OpenSSL function with ASN1_STRING_get0_data() 2020-02-21 13:02:58 +01:00
Michael Friedrich
548eb933c9 TlsUtility: Add getters for version, signature algorithm, SANs 2020-02-17 17:42:20 +01:00
Henrik Triem
099cc5d8df
Merge pull request #7833 from Icinga/feature/version-build-info-openssl 
CLI: Add OpenSSL version to 'Build' section in --version
 2020-02-17 17:07:51 +01:00
Michael Friedrich
71c7eebe4e CLI: Add OpenSSL version to 'Build' section in --version 
This helps to see against which OpenSSL version Icinga was built.
Inspired by #5572
 2020-02-14 08:55:39 +01:00
Michael Friedrich
a7436394cd TlsUtility: Add IsCa() function to verify given certificate being a CA certificate 2020-02-13 16:03:43 +01:00
Alexander A. Klimov
ba1ce9c853 Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr 2019-10-21 16:12:46 +02:00
Michael Friedrich
0fd2fc0a4f Only include SSL_CTX_set_ecdh_auto for OpenSSL < 1.1.0 2019-07-23 17:39:02 +02:00
Michael Friedrich
6682a427d4 TLS: Ensure to specify options in one place 
`SetTlsProtocolminToSSLContext()` may have overridden
previous flags.

refs #7277

refs #7041
refs #7211
 2019-07-15 13:29:55 +02:00
Michael Friedrich
524e2368be Respect OpenSSL 1.1.0 vs older 2019-07-12 14:56:08 +02:00
Michael Friedrich
32d288f243 TLS: Fetch the cipher list and log them for debugging 2019-07-12 14:39:17 +02:00
Alexander A. Klimov
6568017658 Use SSL_CTX_set_ecdh_auto only if available 
refs #7280
 2019-07-04 13:05:31 +02:00
Michael Friedrich
9c92368774 SSL Context: Explicitly load ECC ciphers on el7 
Otherwise curl/nss as client won't be able to use the
new default cipher list.

fixes #7247
 2019-06-18 14:58:19 +02:00
Michael Friedrich
146b337d4d
Merge pull request #7211 from Icinga/feature/asio-tls-version 
Require TLS 1.2 for Cluster & REST API
 2019-06-03 16:19:22 +02:00
Michael Friedrich
d82c067555 Require TLS 1.2 for Cluster & REST API 
refs #7041
 2019-05-29 17:08:36 +02:00
Michael Friedrich
ba44c3921c Quality: Remove old MakeSSLContext() interface 2019-05-28 13:03:34 +02:00
Elias Ohm
e75f063552 bring some things in line 
- account for documented buffer size openssl 1.1.x for error string (>=256 bytes)
- use nullptr instead of NULL
- fix/streamline null-checks
 2019-05-09 00:22:24 +02:00
Jean Flach
9a0d894f10 Don't use deprecated RSA_generate_key 
fixes #4635
 2019-05-08 23:46:31 +02:00
Alexander A. Klimov
2615967e7f Make ApiListener#m_SSLContext a Boost ASIO SSL context 2019-04-01 11:40:14 +02:00
Michael Friedrich
d14a88235d Replace Copyright header with a short version, part I 
CLion -> replace in path
 2019-02-25 14:48:22 +01:00
Michael Friedrich
dab53448bc icinga.com: Update *.{h,c}pp 2018-10-18 09:27:04 +02:00
Gunnar Beutner
e678fa1aa5 Refactor Application::*Const() 2018-08-13 15:27:05 +02:00
Markus Frosch
9fbc40615a Improve path handling in cmake and daemon 2018-08-07 14:10:26 +02:00
Michael Friedrich
2fd6709952 Remove ApiUser password_hash functionality 
This affects and fixes

- Windows reload
- Config validation
- RHEL 7.5 OpenSSL memory corruption
- Hash algorithm, requested changes

refs #6378
refs #6279
refs #6278
 2018-06-19 11:32:03 +02:00
Jean Flach
08a14cd136 Ensure that password hash generation from OpenSSL is atomic 
This is supposed to solve a problem with segfaults caused by
race conditions withing the random byte generation of OpenSSL.

fixes #6279
 2018-05-23 10:55:14 +02:00
Michael Friedrich
1102f60b43 Revert "Implement support for ECC certificates" 
This reverts commit 10691db5b1297caaff15a2470575d34c29bd00e2.

refs #5555
refs #6200
 2018-05-02 16:54:07 +02:00