httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51075] New: Add support for TLS-SRP (RFC 5054)
Date Sun, 17 Apr 2011 21:29:38 GMT

           Summary: Add support for TLS-SRP (RFC 5054)
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl

TLS-SRP (RFC 5054)[1] is an implementation of the Secure Remote Password
(SRP)[2] protocol as a key exchange method for TLS. It uses a shared secret
derived from a user's password to supplement or replace third-party
certificates in setting up a TLS connection.

This patch adds TLS-SRP support to mod_ssl, adds two new directives
(SSLSRPVerifierFile and SSLSRPUnknownUserSeed), adds two new SSL env vars
(SSL_SRP_USER and SSL_SRP_USERINFO), and includes basic documentation.

The TLS-SRP-specific code uses preprocessor guards on OPENSSL_NO_SRP and is
enabled only if OpenSSL >= 1.0.1, which is the first version of OpenSSL that
will include SRP support[3]. 

To use this patch:
(1) install OpenSSL 1.0.1;
(2) create an OpenSSL SRP verifier (passwd) file with `openssl srp -srpvfile
passwd.srpv -add username`;
(3) specify this file in the server config with: SSLSRPVerifierFile
(4) optionally, for easier testing, force the use of SRP: SSLCipherSuite

To test the TLS-SRP functionality, use gnutls-cli or a version of cURL with
TLS-SRP support:

gnutls-cli --srpusername user --srppasswd secret host
curl --tlsuser user --tlspassword secret -k https://host

TLS-SRP support for Apache is already provided by mod_gnutls[4]. Now that PAKE
patents have expired and the security of CAs is increasingly being doubted,
TLS-SRP is gaining wider acceptance. GnuTLS, mod_gnutls, and TLSLite have
supported it for years; cURL since February; OpenSSL will support it in the
next release; and I have also assembled patches[5] for Chrome, Firefox, and

This patch was originally created by Christophe Renou and Peter Sylvester of
EdelWeb. I updated it to work with Apache 2's mod_ssl.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message