httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <>
Subject Re: [users@httpd] SSLPassPhraseDialog exec:/file sends wrong port #
Date Mon, 26 Apr 2004 01:03:50 GMT
Ah yes, openssl's -des3 option causes the passphrase protection.  Forgot
about that.  :D  Still doesn't change what seems to be an Apache bug,
reporting the wrong port # to the SSLPassPhraseDialog exec:/file


----- Original Message ----- 
From: "Leif W" <>
To: <>
Sent: Sunday, April 25, 2004 8:22 PM
Subject: [users@httpd] SSLPassPhraseDialog exec:/file sends wrong port #

> Hello!
> History:
> I'm using httpd-2.0.48 (soon to upgrade to .49), with several "secure"
> sites (self-signed) on the same IP address, using the technique of
> choosing non-standard port numbers for each site.  I originally
> several self-signed certificates several months ago, all with no
> passphrase.  Now the openssl kit doesn't seem to like no passphrase by
> default when generating a key.  After a cursory view, I couldn't
> out how to turn off the passphrase requirement on openssl.  Knowing
> Apache would prompt for a password, I looked to see if Apache had any
> hooks to help automate the process of providing passphrases for
> certificates during startup.  This is when I discovered the
> SSLPassPhraseDialog directive.  I have written a Perl script to check
> that uid, gid, and groups are all 0, and if so, then it prints the
> password for this one site on STDOUT.
> Problem description:
> Now I want to generate new keys, csrs, and certificates that have a
> separate passphrase for each.  I have modified this Perl script to
> out the first and second arguments to a file for each call (append),
> I can see what arguments Apache is sending (see below).
> arg0: server7:443
> arg1: RSA
> You can see, Apache is sending port 443, where I have specified in the
> config file a NameVirtualHost with port 4306 for this VirtualHost.
> is not too critical for my setup with this script, as I have only one
> secure site per host name.  But what if I had multiple secure sites
> separate port numbers for the same host name?  Then I would have no
> of matching the correct password to the certificate/key passphrase
> dialog.  This appears to be a bug(?)  Where does the 443 come from?
> that hard coded in Apache?  I have no NameVirtualHosts assosciated
> port 443, no Listens, no Ports, etc.  Is there any way to get Apache
> correct this error?  Is the port hard coded in the key and certificate
> files?  Do I need to generate the key,csr, and cert with a specific
> port?  I did not seem able to find such an option for openssl, perhaps
> missed it.
> Also, as a side note, are there any other things I should check to
> sure only root can get the password from my Perl script?  The file is
> chown 0.0 and chmod 700.   Apache starts as root then switches to User
> www / Group www, and furthermore, each VirtualHost has it's own
> SuexecUserGroup.  The Perl script sits outside the apache directories
> entirely, ( /usr/local/sbin and /usr/local/apache2 respectively ).
> Perl script runs the 'id' command to get user info, is this
> I guess I would have to trust 'perl' and 'id' 100%, but how can I
> further protect, incase 'perl' or 'id' is compromised or forged?  I
> tried to have my Perl script write out the contents of %ENV to my data
> file, in the hopes of looking for more conditions to depend upon, but
> Apache seems to set up Perl with no environment whatsoever (which I
> found odd).
> Leif
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> See <URL:> for more info.
> To unsubscribe, e-mail:
>    "   from the digest:
> For additional commands, e-mail:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message