httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] SSLPassPhraseDialog exec:/file sends wrong port #
Date Mon, 26 Apr 2004 01:03:50 GMT
Ah yes, openssl's -des3 option causes the passphrase protection.  Forgot
about that.  :D  Still doesn't change what seems to be an Apache bug,
reporting the wrong port # to the SSLPassPhraseDialog exec:/file
program.

Leif

----- Original Message ----- 
From: "Leif W" <warp-9.9@usa.net>
To: <users@httpd.apache.org>
Sent: Sunday, April 25, 2004 8:22 PM
Subject: [users@httpd] SSLPassPhraseDialog exec:/file sends wrong port #


> Hello!
>
> History:
>
> I'm using httpd-2.0.48 (soon to upgrade to .49), with several "secure"
> sites (self-signed) on the same IP address, using the technique of
> choosing non-standard port numbers for each site.  I originally
created
> several self-signed certificates several months ago, all with no
> passphrase.  Now the openssl kit doesn't seem to like no passphrase by
> default when generating a key.  After a cursory view, I couldn't
figure
> out how to turn off the passphrase requirement on openssl.  Knowing
that
> Apache would prompt for a password, I looked to see if Apache had any
> hooks to help automate the process of providing passphrases for
> certificates during startup.  This is when I discovered the
> SSLPassPhraseDialog directive.  I have written a Perl script to check
> that uid, gid, and groups are all 0, and if so, then it prints the
> password for this one site on STDOUT.
>
> Problem description:
>
> Now I want to generate new keys, csrs, and certificates that have a
> separate passphrase for each.  I have modified this Perl script to
print
> out the first and second arguments to a file for each call (append),
so
> I can see what arguments Apache is sending (see below).
>
> arg0: server7:443
> arg1: RSA
>
> You can see, Apache is sending port 443, where I have specified in the
> config file a NameVirtualHost with port 4306 for this VirtualHost.
This
> is not too critical for my setup with this script, as I have only one
> secure site per host name.  But what if I had multiple secure sites
with
> separate port numbers for the same host name?  Then I would have no
way
> of matching the correct password to the certificate/key passphrase
> dialog.  This appears to be a bug(?)  Where does the 443 come from?
Is
> that hard coded in Apache?  I have no NameVirtualHosts assosciated
with
> port 443, no Listens, no Ports, etc.  Is there any way to get Apache
to
> correct this error?  Is the port hard coded in the key and certificate
> files?  Do I need to generate the key,csr, and cert with a specific
> port?  I did not seem able to find such an option for openssl, perhaps
I
> missed it.
>
> Also, as a side note, are there any other things I should check to
make
> sure only root can get the password from my Perl script?  The file is
> chown 0.0 and chmod 700.   Apache starts as root then switches to User
> www / Group www, and furthermore, each VirtualHost has it's own
> SuexecUserGroup.  The Perl script sits outside the apache directories
> entirely, ( /usr/local/sbin and /usr/local/apache2 respectively ).
The
> Perl script runs the 'id' command to get user info, is this
vulnerable?
> I guess I would have to trust 'perl' and 'id' 100%, but how can I
> further protect, incase 'perl' or 'id' is compromised or forged?  I
> tried to have my Perl script write out the contents of %ENV to my data
> file, in the hopes of looking for more conditions to depend upon, but
> Apache seems to set up Perl with no environment whatsoever (which I
> found odd).
>
> Leif
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message