httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject [users@httpd] Re: SSLPassPhraseDialog exec:/file sends wrong port #
Date Tue, 27 Apr 2004 04:18:04 GMT
Well, to answer my own question, it is indeed a bug that someone else
has experienced before.  It was reported in version 2.0.47.  It's still
notfixed in 2.0.49.  There is a user patch which may not fit 2.0.49, but
it's simple enough to apply by hand.  This is an annoying bug and very
easy to fix (i.e. the best kind of bug), but it's been overlooked far
too long.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24331

Leif

----- Original Message ----- 
From: "Leif W" <warp-9.9@usa.net>
To: <users@httpd.apache.org>
Sent: Sunday, April 25, 2004 8:22 PM
Subject: SSLPassPhraseDialog exec:/file sends wrong port #


> Hello!
>
> History:
>
> I'm using httpd-2.0.48 (soon to upgrade to .49), with several "secure"
> sites (self-signed) on the same IP address, using the technique of
> choosing non-standard port numbers for each site.  I originally
created
> several self-signed certificates several months ago, all with no
> passphrase.  Now the openssl kit doesn't seem to like no passphrase by
> default when generating a key.  After a cursory view, I couldn't
figure
> out how to turn off the passphrase requirement on openssl.  Knowing
that
> Apache would prompt for a password, I looked to see if Apache had any
> hooks to help automate the process of providing passphrases for
> certificates during startup.  This is when I discovered the
> SSLPassPhraseDialog directive.  I have written a Perl script to check
> that uid, gid, and groups are all 0, and if so, then it prints the
> password for this one site on STDOUT.
>
> Problem description:
>
> Now I want to generate new keys, csrs, and certificates that have a
> separate passphrase for each.  I have modified this Perl script to
print
> out the first and second arguments to a file for each call (append),
so
> I can see what arguments Apache is sending (see below).
>
> arg0: server7:443
> arg1: RSA
>
> You can see, Apache is sending port 443, where I have specified in the
> config file a NameVirtualHost with port 4306 for this VirtualHost.
This
> is not too critical for my setup with this script, as I have only one
> secure site per host name.  But what if I had multiple secure sites
with
> separate port numbers for the same host name?  Then I would have no
way
> of matching the correct password to the certificate/key passphrase
> dialog.  This appears to be a bug(?)  Where does the 443 come from?
Is
> that hard coded in Apache?  I have no NameVirtualHosts assosciated
with
> port 443, no Listens, no Ports, etc.  Is there any way to get Apache
to
> correct this error?  Is the port hard coded in the key and certificate
> files?  Do I need to generate the key,csr, and cert with a specific
> port?  I did not seem able to find such an option for openssl, perhaps
I
> missed it.
>
> Also, as a side note, are there any other things I should check to
make
> sure only root can get the password from my Perl script?  The file is
> chown 0.0 and chmod 700.   Apache starts as root then switches to User
> www / Group www, and furthermore, each VirtualHost has it's own
> SuexecUserGroup.  The Perl script sits outside the apache directories
> entirely, ( /usr/local/sbin and /usr/local/apache2 respectively ).
The
> Perl script runs the 'id' command to get user info, is this
vulnerable?
> I guess I would have to trust 'perl' and 'id' 100%, but how can I
> further protect, incase 'perl' or 'id' is compromised or forged?  I
> tried to have my Perl script write out the contents of %ENV to my data
> file, in the hopes of looking for more conditions to depend upon, but
> Apache seems to set up Perl with no environment whatsoever (which I
> found odd).
>
> Leif
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message