Re: How works the 'SSLPassPhraseDialog'

2000-03-28 Thread Jan Meijer

 Yes, you are missing something. The message before mine, to be more
 specific. A subscriber asked how to run Apache automatically (probably
 from his rc.d or init.d scripts), and was answered that he should
 write a program to supply this password to Apache. So I responded with
 my message, that having such a program makes PEM encryption useless.

Clear.  Sorry.

Jan
-- 
alive=true
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: How works the 'SSLPassPhraseDialog'

2000-03-25 Thread R. DuFresne

On Fri, 24 Mar 2000, Eli Marmor wrote:

 Jan Meijer wrote:
  
   A hacker can copy your key, no matter if it is encrypted or not; It
   will just spend one more minute for him.
  
  Perhaps I'm missing something here, but if your key is encrypted and the
  only way to decrypt it is to actally enter the passphrase manually (e.g. no
  automatic start-up) the hacker can steal all he wants, but needs to trojan
  some things as well to actually get to your key (unless of course you
  encrypted it with 40 bits des, but only someone in the wrong country would
  do that).
 
 Yes, you are missing something. The message before mine, to be more
 specific. A subscriber asked how to run Apache automatically (probably
 from his rc.d or init.d scripts), and was answered that he should
 write a program to supply this password to Apache. So I responded with
 my message, that having such a program makes PEM encryption useless.
 
 

the hacker might just pop into yer box, and scarf up the passphrase from
the file ya made to do the auto run, this is always considered a flaw in
security, no different then making a script that send a password to auto
telnet/ftp to some account of yers.  Secured server recycles should not be
totally automated, somethings are best left to be done by hand, either
from the console, or via a ssh conection.

Remember, if yer offering up anything but static pages, any kind of active
content, your web serverfarm is most likely vulnerable, and the main
point of entry into the rest of your network.

I'm sure that most folks reading this list also subscribe to the bugtraq
list and others for security measures, and to keep up to date, and most
have their web servers tightly backedup for reinstalls on compromise, yes?

Thanks,

Ron DuFresne
-- 
~~
admin  senior consultant:  darkstar.sysinfo.com
  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: How works the 'SSLPassPhraseDialog'

2000-03-24 Thread Jan Meijer

 A hacker can copy your key, no matter if it is encrypted or not; It
 will just spend one more minute for him.
 
Perhaps I'm missing something here, but if your key is encrypted and the
only way to decrypt it is to actally enter the passphrase manually (e.g. no
automatic start-up) the hacker can steal all he wants, but needs to trojan
some things as well to actually get to your key (unless of course you
encrypted it with 40 bits des, but only someone in the wrong country would
do that).

Jan


-- 
alive=true
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



RE: How works the 'SSLPassPhraseDialog'

2000-03-23 Thread Francisco Javier Martínez Martínez

Hello.
Where and how I put the two arguments 'the first is of the form
``servername:portnumber'', the second is either ``RSA'' or ``DSA''', It is
not clear almost for me and I wonder that there must be some people more.
And as you saids this is a secure matter due that the private password could
be compromised, if you would please explain (with an example if possible)
how it works.
Thanks you in advance.
- Original Message -
From: Ralf S. Engelschall [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 22, 2000 8:33 PM
Subject: Re: How works the 'SSLPassPhraseDialog'


 On Wed, Mar 22, 2000, Francisco Javier Martínez Martínez wrote:

  I had noticed that I could give the password of the private key fo the
  server with the 'SSLPassPhraseDialog' with no human-interactive in the
  server start up. With the directive 'exec:/path/to/program' but I don´t
had
  any idea of this program. Would you please post an example of this
program
  to take it as pattern to make my customized one.

 The user manual makes it pretty clear how this program has to look,
doesn't it?

 | exec:/path/to/program
 | Here an external program is configured which is called at startup for
each
 | encrypted Private Key file. It is called with two arguments (the first
is of the
 | form ``servername:portnumber'', the second is either ``RSA'' or
``DSA''), which
 | indicate for which server and algorithm it has to print the
corresponding Pass
 | Phrase to stdout. [...]
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



RE: How works the 'SSLPassPhraseDialog'

2000-03-23 Thread Steve Fairhead

Jan Dries said:


For example in C:
int main(int argc, char** argv)
{
printf("xx"); // replace xx with your actual password.
return 0;
}


Minor point, and perhaps off-topic here, but I'd strongly suggest avoiding
such uses of the printf statement in general. Use the puts() statement if
possible, or consider instead:
printf( "%s", "xx" ); // replace xx with your actual password.

This avoids any possible misinterpretation of arbitrary string "xx" as a
formatting string, and hence unexpected (and possibly unhandled) runtime
crashes.

Steve
(proponent of defensive C :-)

--
Steve Fairhead - SFD - Solutions by Design
   www: http://www.sfdesign.co.uk
--
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



How works the 'SSLPassPhraseDialog'

2000-03-22 Thread Francisco Javier Martínez Martínez



Hello
I had noticed that I could give the password of the private 
key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in 
the server start up. With the directive 'exec:/path/to/program' but I don´t had 
any ideaof this program.Would you please post an example of this 
program to take it as pattern to make my customized one.
Thanks in advance.


Re: How works the 'SSLPassPhraseDialog'

2000-03-22 Thread Ralf S. Engelschall

On Wed, Mar 22, 2000, Francisco Javier Martínez Martínez wrote:

 I had noticed that I could give the password of the private key fo the
 server with the 'SSLPassPhraseDialog' with no human-interactive in the
 server start up. With the directive 'exec:/path/to/program' but I don´t had
 any idea of this program. Would you please post an example of this program
 to take it as pattern to make my customized one.

The user manual makes it pretty clear how this program has to look, doesn't it?

| exec:/path/to/program
| Here an external program is configured which is called at startup for each
| encrypted Private Key file. It is called with two arguments (the first is of the
| form ``servername:portnumber'', the second is either ``RSA'' or ``DSA''), which
| indicate for which server and algorithm it has to print the corresponding Pass
| Phrase to stdout. [...]
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: How works the 'SSLPassPhraseDialog'

2000-03-22 Thread Jan Dries

The program is any program that outputs the password to the standard
output, that is to the screen.

For example in C:
int main(int argc, char** argv)
{
printf("xx"); // replace xx with your actual password.
return 0;
}

Another possibility is to use an executable script that just echoes the
password. 
If all you're looking for is a way to make Apache start without
intervention, this will do fine.
But in a real world environment where security is a concern, you may
want that program to be more sophisiticated.

Regards,
Jan Dries


 Francisco Javier Martínez Martínez wrote:
 
 Hello
 I had noticed that I could give the password of the private key fo the
 server with the 'SSLPassPhraseDialog' with no human-interactive in the
 server start up. With the directive 'exec:/path/to/program' but I
 don´t had any idea of this program. Would you please post an example
 of this program to take it as pattern to make my customized one.
 Thanks in advance.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: How works the 'SSLPassPhraseDialog'

2000-03-22 Thread Eli Marmor

In short, as I claim always, there is nothing good in PEM, because
you can't eat the cake and have it. You either have an un-encrypted
file, or you have an encrypted file - but with another program that
outputs this password. And you don't have to look for this program -
just look at the appropriate rc.d script...

A hacker can copy your key, no matter if it is encrypted or not; It
will just spend one more minute for him.

The only use for this PEM, is when it is transferred via non-secure
ways, for example when it is e-mailed, or stored in another computer.

Or may I miss anything?
-- 
Eli Marmor
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]