httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject [users@httpd] SSLPassPhraseDialog exec:/file sends wrong port #
Date Mon, 26 Apr 2004 00:22:30 GMT
Hello!

History:

I'm using httpd-2.0.48 (soon to upgrade to .49), with several "secure"
sites (self-signed) on the same IP address, using the technique of
choosing non-standard port numbers for each site.  I originally created
several self-signed certificates several months ago, all with no
passphrase.  Now the openssl kit doesn't seem to like no passphrase by
default when generating a key.  After a cursory view, I couldn't figure
out how to turn off the passphrase requirement on openssl.  Knowing that
Apache would prompt for a password, I looked to see if Apache had any
hooks to help automate the process of providing passphrases for
certificates during startup.  This is when I discovered the
SSLPassPhraseDialog directive.  I have written a Perl script to check
that uid, gid, and groups are all 0, and if so, then it prints the
password for this one site on STDOUT.

Problem description:

Now I want to generate new keys, csrs, and certificates that have a
separate passphrase for each.  I have modified this Perl script to print
out the first and second arguments to a file for each call (append), so
I can see what arguments Apache is sending (see below).

arg0: server7:443
arg1: RSA

You can see, Apache is sending port 443, where I have specified in the
config file a NameVirtualHost with port 4306 for this VirtualHost.  This
is not too critical for my setup with this script, as I have only one
secure site per host name.  But what if I had multiple secure sites with
separate port numbers for the same host name?  Then I would have no way
of matching the correct password to the certificate/key passphrase
dialog.  This appears to be a bug(?)  Where does the 443 come from?  Is
that hard coded in Apache?  I have no NameVirtualHosts assosciated with
port 443, no Listens, no Ports, etc.  Is there any way to get Apache to
correct this error?  Is the port hard coded in the key and certificate
files?  Do I need to generate the key,csr, and cert with a specific
port?  I did not seem able to find such an option for openssl, perhaps I
missed it.

Also, as a side note, are there any other things I should check to make
sure only root can get the password from my Perl script?  The file is
chown 0.0 and chmod 700.   Apache starts as root then switches to User
www / Group www, and furthermore, each VirtualHost has it's own
SuexecUserGroup.  The Perl script sits outside the apache directories
entirely, ( /usr/local/sbin and /usr/local/apache2 respectively ).  The
Perl script runs the 'id' command to get user info, is this vulnerable?
I guess I would have to trust 'perl' and 'id' 100%, but how can I
further protect, incase 'perl' or 'id' is compromised or forged?  I
tried to have my Perl script write out the contents of %ENV to my data
file, in the hopes of looking for more conditions to depend upon, but
Apache seems to set up Perl with no environment whatsoever (which I
found odd).

Leif



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message