[jira] [Commented] (TS-612) ATS does not allow password protected certificates

Wed, 29 Jan 2014 14:07:06 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13885882#comment-13885882
 ] 

James Peach commented on TS-612:
--------------------------------

You don't need the {{passwd_cb}} typedef since OpenSSL provides a 
{{pem_password_cb}} typedef. From looking at {{crypto/pem/pem.h}} you should 
probably puke if OpenSSL is < 0.9.4, though.

{{SSL_CLEAR_PW_REFERENCES}} should be written in functional style, like 
{{SSL_CLEAR_PW_REFERENCES(ud, ctx)}}.

Need to remove {{ink_process.h}} remnants.

I think the code that selects the dialog callback could be simpler. Here's what 
I suggest:
{code}
  passphrase_cb_userdata ud(params, serverDialog, serverCertPtr, serverKeyPtr);

  if (serverDialog) {
    int (*passwd_cb)(char *buf, int size, int rwflag, void *userdata);

    if (strncmp(serverDialog,"exec:", 5) == 0) {
      ud._serverDialog = &serverDialog[5];
      // validate the exec program
      if (!ssl_private_key_validate_exec(ud._serverDialog)) {
        SSLError("failed to access '%s' pass phrase program: %s", (const char 
*)ud._serverDialog,strerror(errno));
        goto fail;
      }

    } else if (strcmp(serverDialog, "builtin") == 0) {
      passwd_cb = ssl_private_key_passphrase_callback_exec;
    } else {
      // XXX Puke ...
      passwd_cb = ssl_private_key_passphrase_callback_builtin;
    }

    SSL_CTX_set_default_passwd_cb(ctx, passwd_cb);
    SSL_CTX_set_default_passwd_cb_userdata(ctx, &ud);
  }
{code}

Why do the dialog functions allocate temporary buffer? It looks like they could 
put the passphrase right into the buffer that OpenSSL gives us.

Nice documentation updates!

> ATS does not allow password protected certificates
> --------------------------------------------------
>
>                 Key: TS-612
>                 URL: https://issues.apache.org/jira/browse/TS-612
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>    Affects Versions: 3.0.0
>         Environment: Any
>            Reporter: Igor Galić
>            Assignee: Ron Barber
>             Fix For: 6.0.0
>
>
> Create a (self-signed) certificate with a password that is non-empty. {cat 
> server.key server.crt > server.pem} and configure it as
> {CONFIG proxy.config.ssl.server.cert.filename STRING server.pem}
> The result will be:
> {noformat}
> Jan  3 10:50:16 proveedores traffic_server[2579]: NOTE: --- Server Starting 
> ---
> Jan  3 10:50:16 proveedores traffic_server[2579]: NOTE: Server Version: 
> Apache Traffic Server - traffic_server - 2.0.1 - (build # 113112 on Dec 31 
> 2010 at 12:58:34)
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} STATUS: opened 
> var/log/trafficserver/diags.log
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} NOTE: updated 
> diags config
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} NOTE: cache 
> clustering disabled
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} WARNING: no 
> cache disks specified in etc/trafficserver/storage.config: cache disabled
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} NOTE: cache 
> clustering disabled
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} WARNING: 
> unable to open cache disk(s): Cache Disabled
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} ERROR: SSL 
> ERROR: Cannot use server private key file.
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} ERROR: 
> SSL::0:error:0906406D:PEM routines:PEM_def_callback:problems getting 
> password:pem_lib.c:105:
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} ERROR: 
> SSL::0:error:0906A068:PEM routines:PEM_do_header:bad password 
> read:pem_lib.c:406:
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} ERROR: 
> SSL::0:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM 
> lib:ssl_rsa.c:669:
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} ERROR: SSL 
> ERROR: Can't initialize the SSL library, disabling SSL termination!.
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} NOTE: logging 
> initialized[7], logging_mode = 3
> Jan  3 10:50:16 proveedores traffic_server[2579]: {1080362352} NOTE: traffic 
> server running
> {noformat}
> A first -- ugly -- shot would be to at least have a password field in the 
> configuration.
> In the end something taking the input of an external program or from a file 
> would be more desirable.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to