Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 43492 invoked from network); 17 Apr 2011 21:30:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 17 Apr 2011 21:30:00 -0000 Received: (qmail 4890 invoked by uid 500); 17 Apr 2011 21:30:00 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 4856 invoked by uid 500); 17 Apr 2011 21:30:00 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 4847 invoked by uid 99); 17 Apr 2011 21:30:00 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Apr 2011 21:30:00 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Apr 2011 21:29:58 +0000 Received: from thor.apache.org (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id p3HLTcKs007272 for ; Sun, 17 Apr 2011 21:29:38 GMT Received: (from daemon@localhost) by thor.apache.org (8.13.8+Sun/8.13.8/Submit) id p3HLTcsF007270; Sun, 17 Apr 2011 17:29:38 -0400 (EDT) Date: Sun, 17 Apr 2011 17:29:38 -0400 (EDT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 51075] New: Add support for TLS-SRP (RFC 5054) X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: sqs@cs.stanford.edu X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 https://issues.apache.org/bugzilla/show_bug.cgi?id=51075 Summary: Add support for TLS-SRP (RFC 5054) Product: Apache httpd-2 Version: 2.3-HEAD Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: sqs@cs.stanford.edu TLS-SRP (RFC 5054)[1] is an implementation of the Secure Remote Password (SRP)[2] protocol as a key exchange method for TLS. It uses a shared secret derived from a user's password to supplement or replace third-party certificates in setting up a TLS connection. This patch adds TLS-SRP support to mod_ssl, adds two new directives (SSLSRPVerifierFile and SSLSRPUnknownUserSeed), adds two new SSL env vars (SSL_SRP_USER and SSL_SRP_USERINFO), and includes basic documentation. The TLS-SRP-specific code uses preprocessor guards on OPENSSL_NO_SRP and is enabled only if OpenSSL >= 1.0.1, which is the first version of OpenSSL that will include SRP support[3]. To use this patch: (1) install OpenSSL 1.0.1; (2) create an OpenSSL SRP verifier (passwd) file with `openssl srp -srpvfile passwd.srpv -add username`; (3) specify this file in the server config with: SSLSRPVerifierFile /path/to/passwd.srpv (4) optionally, for easier testing, force the use of SRP: SSLCipherSuite "!DSS:!aRSA:SRP" To test the TLS-SRP functionality, use gnutls-cli or a version of cURL with TLS-SRP support: gnutls-cli --srpusername user --srppasswd secret host curl --tlsuser user --tlspassword secret -k https://host TLS-SRP support for Apache is already provided by mod_gnutls[4]. Now that PAKE patents have expired and the security of CAs is increasingly being doubted, TLS-SRP is gaining wider acceptance. GnuTLS, mod_gnutls, and TLSLite have supported it for years; cURL since February; OpenSSL will support it in the next release; and I have also assembled patches[5] for Chrome, Firefox, and NSS. This patch was originally created by Christophe Renou and Peter Sylvester of EdelWeb. I updated it to work with Apache 2's mod_ssl. [1] http://tools.ietf.org/html/rfc5054 [2] http://srp.stanford.edu/ [3] http://cvs.openssl.org/chngview?cn=20484 [4] http://trustedhttp.org/wiki/TLS-SRP_in_Apache_mod_gnutls [5] http://trustedhttp.org/ -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org