96 Commits

Author SHA1 Message Date
Michael Friedrich
2fd6709952 Remove ApiUser password_hash functionality
This affects and fixes

- Windows reload
- Config validation
- RHEL 7.5 OpenSSL memory corruption
- Hash algorithm, requested changes

refs #6378
refs #6279
refs #6278
2018-06-19 11:32:03 +02:00
Jean Flach
08a14cd136 Ensure that password hash generation from OpenSSL is atomic
This is supposed to solve a problem with segfaults caused by
race conditions withing the random byte generation of OpenSSL.

fixes #6279
2018-05-23 10:55:14 +02:00
Michael Friedrich
1102f60b43 Revert "Implement support for ECC certificates"
This reverts commit 10691db5b1297caaff15a2470575d34c29bd00e2.

refs #5555
refs #6200
2018-05-02 16:54:07 +02:00
Jean Flach
0a0795f09d Code style 2018-02-16 11:47:13 +01:00
Jean Flach
65a806f5dc Move new password functions into tlsutility 2018-02-15 13:09:22 +01:00
Jean Flach
92e2faaa08 Hash API password and comparison
fixes #4920
2018-02-15 13:09:22 +01:00
Gunnar Beutner
f05459b40c Move inline functions to their .cpp files 2018-01-04 12:24:58 +01:00
Gunnar Beutner
e0c350b8a5 Apply clang-tidy fix 'modernize-use-nullptr' 2018-01-04 12:24:57 +01:00
Gunnar Beutner
e3ad0be769 Apply clang-tidy fix 'modernize-use-auto' 2018-01-04 12:24:57 +01:00
Gunnar Beutner
ac155d1dda Apply clang-tidy fix 'modernize-redundant-void-arg' 2018-01-04 12:24:57 +01:00
Michael Insel
158ae2188e Change copyright header for 2018 2018-01-02 12:08:55 +01:00
Jean Flach
2636e6a77a Whitespace fix
What does this change?
* Remove use of spaces for formatting
These could be found by using `grep -r -l -P '^\t+ +[^*]'
* Removal of training whitespaces
* A few lines longer than 120 chars
2017-12-20 14:53:52 +01:00
Gunnar Beutner
1ad83886ac Replace a few more NULLs with nullptr 2017-12-14 15:37:20 +01:00
Gunnar Beutner
42744fde5b Remove extraneous whitespace 2017-12-14 08:50:09 +01:00
Gunnar Beutner
6d09efc907 Use std::shared_ptr instead of boost::shared_ptr 2017-11-30 17:41:00 +01:00
Gunnar Beutner
6b3931973e
Merge pull request #5555 from Icinga/feature/ecc-certs
Implement support for ECC certificates
2017-11-27 15:11:04 +01:00
Michael Friedrich
9a04a99400 Merge pull request #5554 from Icinga/feature/cn-check-for-san
Add subjectAltName extension for all non-CA certificates
2017-10-10 17:50:01 +02:00
Gunnar Beutner
774936bfe8 Implement support for pki::UpdateCertificate messages
refs #5450
2017-09-12 12:52:49 +02:00
Gunnar Beutner
0ec07bce51 Implement support for updating client certificates
refs #5450
2017-09-12 12:52:49 +02:00
Gunnar Beutner
abdd4b307b Implement the 'ca list' and 'ca sign' CLI commands
refs #5450
2017-09-12 12:52:49 +02:00
Gunnar Beutner
510e2d622a Implement support for ticket-less certificate requests
refs #5450
2017-09-12 12:52:49 +02:00
Gunnar Beutner
10691db5b1 Implement support for ECC certificates 2017-09-06 12:29:30 +02:00
Gunnar Beutner
3385122bc3 Add subjectAltName extension for all non-CA certificates 2017-09-06 12:25:36 +02:00
Michael Friedrich
79c45ea811 Build fix for OpenSSL 0.9.8 and stack_st_X509_EXTENSION 2017-05-26 13:16:20 +02:00
Gunnar Beutner
b366483466 Add subjectAltName X509 ext for certificate requests 2017-05-11 15:38:17 +02:00
Gunnar Beutner
0c25d14d0c Fix crash in SHA1
refs #4991
2017-03-29 10:17:03 +02:00
Michael Friedrich
0b466aabc0 Start working on checksum config dump
refs #4991
2017-03-29 10:17:03 +02:00
Sebastian Marsching
118d36f384 Fixed return code check in CRL loading
The code for loading CRLs was incorrectly assuming that OpenSSL's
X509_LOOKUP_load_file function returns zero on success, but actually it
returns one on success. This commit fixes this return code check so
that a CRL can be loaded.

fixes #5040

Signed-off-by: Gunnar Beutner <gunnar.beutner@icinga.com>
2017-02-28 14:08:24 +01:00
Michael Friedrich
b7caf0820d Ensure that *.icinga.com is used everywhere
fixes #13897
fixes #13277
2017-01-10 17:19:12 +01:00
Gunnar Beutner
0df4b4edfb Fix incorrect #ifdef
fixes #12749
2016-09-28 08:30:47 +02:00
Gunnar Beutner
ec87b9e795 Use hash-based serial numbers for new certificates
fixes #12453
2016-08-16 15:03:01 +02:00
Gunnar Beutner
231fd8d38b Build fix for CentOS 5
refs #11292
2016-08-08 15:27:16 +02:00
Uwe Ebel
b2ac05ad7d Make the minimum TLS protocol version configurable
The ApiListener accepts all TLS versions that the underlying
OpenSSL library supports. This patch give the ability to restrict
the connection to a minimum TLS version.

fixes #11292

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>
2016-08-03 07:46:50 +02:00
Michael Friedrich
e712d6ffe7 Fix error message for specified ciphers
refs #11063
2016-07-19 20:13:34 +02:00
Uwe Ebel
1ca8b293cb Make the cipher list configurable for TLS streams
fixes #11063

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>
2016-07-18 13:40:00 +02:00
Gunnar Beutner
6de6ea5e42 Build fix for OpenSSL 1.1.0
fixes #12044
2016-06-27 08:28:22 +02:00
Gunnar Beutner
8b7d59eb34 Implement support for subjectAltName in SSL certificates
fixes #11556
2016-04-21 15:25:57 +02:00
Tobias von der Krone
ce3062904f Use the server's preferred cipher for the API connection
When using SSL_OP_CIPHER_SERVER_PREFERENCE the server's preferred cipher
is used instead of the client preference, see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

fixes #11290
2016-03-04 14:57:06 +01:00
Gunnar Beutner
23edd6cb8f Add missing comment
refs #10988
2016-01-26 08:35:29 +01:00
Michael Friedrich
a4562fb433 Only set SSL_OP_NO_COMPRESSION if supported
OpenSSL 0.9.8 does not support this flag.

fixes #10988
2016-01-25 14:53:26 +01:00
Tobias von der Krone
1c67bf394c Support TLSv1.1 and TLSv1.2 for the cluster transport encryption
From https://wiki.openssl.org/index.php/SSL/TLS_Client:
SSLv23_method specifies the protocols used and behavior of the handshake.
The method essentially means SSLv2 or above, and includes the TLS protocols.
The protocols are further tuned through SSL/TLS options. By using
SSLv23_method (and removing the SSL protocols with SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3), then you will use TLS v1.0 and above, including TLS v1.2.
You will also use a TLS handshake in the TLS Record.

If you use TLSv1_method, then you will only use TLS v1.0.

fixes #10988
2016-01-20 16:48:00 +01:00
Jean Flach
cb70d97dcf Plug two memory leaks
refs #10963
2016-01-15 10:11:52 +01:00
Gunnar Beutner
599929b0f6 Update copyright headers for 2016 2016-01-12 08:29:59 +01:00
Michael Friedrich
f0a5a0c23c Fix openssl certificate not after overflow on rhel5
refs #10266
2015-10-02 12:11:21 +02:00
Michael Friedrich
9a2ae6e58f Fix missing zero padding for generated CA serial
fixes #10074
2015-09-03 17:12:01 +02:00
Gunnar Beutner
c37a23ccba Implement the Icinga Studio application
fixes #10042
2015-08-31 07:50:01 +02:00
Gunnar Beutner
5a72eaa768 Make sure the serial number field is always initialized
fixes #9947
2015-08-18 15:05:53 +02:00
Gunnar Beutner
0b495d1858 Set correct X509 version for certificates
fixes #9769
2015-07-29 12:59:12 +02:00
Gunnar Beutner
b357012ded Implement HTTP support
refs #9447
2015-07-09 11:42:34 +02:00
Gunnar Beutner
c08aa37c99 Fix crash in MakeX509CSR when using ancient versions of OpenSSL
fixes #8844
2015-03-26 08:23:24 +01:00