[PATCH] Add TLS-SRP (RFC 5054) support to mod_ssl
Posted at: https://issues.apache.org/bugzilla/show_bug.cgi?id=51075 TLS-SRP (RFC 5054)[1] is an implementation of the Secure Remote Password (SRP)[2] protocol as a key exchange method for TLS. It uses a shared secret derived from a user's password to supplement or replace third-party certificates in authenticating a TLS connection. This patch adds TLS-SRP support to mod_ssl, adds two new directives (SSLSRPVerifierFile and SSLSRPUnknownUserSeed), adds two new SSL env vars (SSL_SRP_USER and SSL_SRP_USERINFO), and includes basic documentation. The TLS-SRP-specific code uses preprocessor guards on OPENSSL_NO_SRP and is enabled only if OpenSSL = 1.0.1, which is the first version of OpenSSL that will include SRP support[3]. To use this patch: (1) install OpenSSL 1.0.1; (2) create an OpenSSL SRP verifier (passwd) file with `openssl srp -srpvfile passwd.srpv -add username`; (3) specify this file in the server config with: SSLSRPVerifierFile /path/to/passwd.srpv (4) optionally, for easier testing, force the use of SRP: SSLCipherSuite !DSS:!aRSA:SRP To test the TLS-SRP functionality, use gnutls-cli or a version of cURL with TLS-SRP support: gnutls-cli --srpusername user --srppasswd secret host curl --tlsuser user --tlspassword secret -k https://host TLS-SRP support for Apache is already provided by mod_gnutls[4]. Now that PAKE patents have expired and the security of CAs is increasingly being doubted, TLS-SRP is gaining wider acceptance. GnuTLS, mod_gnutls, and TLSLite have supported it for years; cURL since February; OpenSSL will support it in the next release; and I have also assembled patches[5] for Chrome, Firefox, and NSS. This patch was originally created by Christophe Renou and Peter Sylvester of EdelWeb. I updated it to work with Apache 2's mod_ssl. Bugzilla entry: https://issues.apache.org/bugzilla/show_bug.cgi?id=51075 Patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26892 [1] http://tools.ietf.org/html/rfc5054 [2] http://srp.stanford.edu/ [3] http://cvs.openssl.org/chngview?cn=20484 [4] http://trustedhttp.org/wiki/TLS-SRP_in_Apache_mod_gnutls [5] http://trustedhttp.org/
Re: [PATCH] Add TLS-SRP (RFC 5054) support to mod_ssl
This is excellent news! On Apr 17, 2011 5:48 PM, Quinn Slack s...@cs.stanford.edu wrote: Posted at: https://issues.apache.org/bugzilla/show_bug.cgi?id=51075 TLS-SRP (RFC 5054)[1] is an implementation of the Secure Remote Password (SRP)[2] protocol as a key exchange method for TLS. It uses a shared secret derived from a user's password to supplement or replace third-party certificates in authenticating a TLS connection. This patch adds TLS-SRP support to mod_ssl, adds two new directives (SSLSRPVerifierFile and SSLSRPUnknownUserSeed), adds two new SSL env vars (SSL_SRP_USER and SSL_SRP_USERINFO), and includes basic documentation. The TLS-SRP-specific code uses preprocessor guards on OPENSSL_NO_SRP and is enabled only if OpenSSL = 1.0.1, which is the first version of OpenSSL that will include SRP support[3]. To use this patch: (1) install OpenSSL 1.0.1; (2) create an OpenSSL SRP verifier (passwd) file with `openssl srp -srpvfile passwd.srpv -add username`; (3) specify this file in the server config with: SSLSRPVerifierFile /path/to/passwd.srpv (4) optionally, for easier testing, force the use of SRP: SSLCipherSuite !DSS:!aRSA:SRP To test the TLS-SRP functionality, use gnutls-cli or a version of cURL with TLS-SRP support: gnutls-cli --srpusername user --srppasswd secret host curl --tlsuser user --tlspassword secret -k https://host TLS-SRP support for Apache is already provided by mod_gnutls[4]. Now that PAKE patents have expired and the security of CAs is increasingly being doubted, TLS-SRP is gaining wider acceptance. GnuTLS, mod_gnutls, and TLSLite have supported it for years; cURL since February; OpenSSL will support it in the next release; and I have also assembled patches[5] for Chrome, Firefox, and NSS. This patch was originally created by Christophe Renou and Peter Sylvester of EdelWeb. I updated it to work with Apache 2's mod_ssl. Bugzilla entry: https://issues.apache.org/bugzilla/show_bug.cgi?id=51075 Patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26892 [1] http://tools.ietf.org/html/rfc5054 [2] http://srp.stanford.edu/ [3] http://cvs.openssl.org/chngview?cn=20484 [4] http://trustedhttp.org/wiki/TLS-SRP_in_Apache_mod_gnutls [5] http://trustedhttp.org/