Hello,
I'm using your Crypt::SSLeay, and I'm very happy this works. Thank you very much for this!!
We have this intraweb-server that requires the clients to be authenticated with the means of client certificates. These client certificates are distributed to the users in PKCS12 keybags. Each bag contains the user's private key, the user's cert, the web-server cert and the CA's cert.
1) Is the PEM pass phrase password dialogue (when $ENV{HTTPS_KEY_FILE} is used) safe? Is it stored in any enviromentvariable which make it unsafe?
I have been testing Crypt::SSLeay with PKCS12 files mentioned abover, but it doesnt seem to work unless you specify the $ENV{HTTPS_PKCS12_PASSWORD}. No password input dialogue is show. Nor do I want to create my own password input routine, and store it in this environment variable because of the security issues involved.
Sorry, since this message did not have Crypt::SSLeay in the subject, I missed it earlier, but just saw it now in the archives.
With regards to the security issue of setting something in %ENV, you might try
local $ENV{HTTPS_PKCS12_PASSWORD} = ...
It may be that this will not actually set this in such a way as there may be a security risk, I am not sure.
There is a limit in the message passing interface down to Net::SSL of Crypt::SSLeay, mostly because we have never had a nice API to pass arguments down through LWP to the Net::SSL object that gets created. So we pass all the configuration through %ENV unfortunately.
Regards,
Josh ________________________________________________________________ Josh Chamas, Founder phone:925-552-0128 Chamas Enterprises Inc. http://www.chamas.com NodeWorks Link Checker http://www.nodeworks.com
