Re: How works the 'SSLPassPhraseDialog'
Yes, you are missing something. The message before mine, to be more specific. A subscriber asked how to run Apache automatically (probably from his rc.d or init.d scripts), and was answered that he should write a program to supply this password to Apache. So I responded with my message, that having such a program makes PEM encryption useless. Clear. Sorry. Jan -- alive=true __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
On Fri, 24 Mar 2000, Eli Marmor wrote: Jan Meijer wrote: A hacker can copy your key, no matter if it is encrypted or not; It will just spend one more minute for him. Perhaps I'm missing something here, but if your key is encrypted and the only way to decrypt it is to actally enter the passphrase manually (e.g. no automatic start-up) the hacker can steal all he wants, but needs to trojan some things as well to actually get to your key (unless of course you encrypted it with 40 bits des, but only someone in the wrong country would do that). Yes, you are missing something. The message before mine, to be more specific. A subscriber asked how to run Apache automatically (probably from his rc.d or init.d scripts), and was answered that he should write a program to supply this password to Apache. So I responded with my message, that having such a program makes PEM encryption useless. the hacker might just pop into yer box, and scarf up the passphrase from the file ya made to do the auto run, this is always considered a flaw in security, no different then making a script that send a password to auto telnet/ftp to some account of yers. Secured server recycles should not be totally automated, somethings are best left to be done by hand, either from the console, or via a ssh conection. Remember, if yer offering up anything but static pages, any kind of active content, your web serverfarm is most likely vulnerable, and the main point of entry into the rest of your network. I'm sure that most folks reading this list also subscribe to the bugtraq list and others for security measures, and to keep up to date, and most have their web servers tightly backedup for reinstalls on compromise, yes? Thanks, Ron DuFresne -- ~~ admin senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
A hacker can copy your key, no matter if it is encrypted or not; It will just spend one more minute for him. Perhaps I'm missing something here, but if your key is encrypted and the only way to decrypt it is to actally enter the passphrase manually (e.g. no automatic start-up) the hacker can steal all he wants, but needs to trojan some things as well to actually get to your key (unless of course you encrypted it with 40 bits des, but only someone in the wrong country would do that). Jan -- alive=true __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How works the 'SSLPassPhraseDialog'
Hello. Where and how I put the two arguments 'the first is of the form ``servername:portnumber'', the second is either ``RSA'' or ``DSA''', It is not clear almost for me and I wonder that there must be some people more. And as you saids this is a secure matter due that the private password could be compromised, if you would please explain (with an example if possible) how it works. Thanks you in advance. - Original Message - From: Ralf S. Engelschall [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 22, 2000 8:33 PM Subject: Re: How works the 'SSLPassPhraseDialog' On Wed, Mar 22, 2000, Francisco Javier Martínez Martínez wrote: I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any idea of this program. Would you please post an example of this program to take it as pattern to make my customized one. The user manual makes it pretty clear how this program has to look, doesn't it? | exec:/path/to/program | Here an external program is configured which is called at startup for each | encrypted Private Key file. It is called with two arguments (the first is of the | form ``servername:portnumber'', the second is either ``RSA'' or ``DSA''), which | indicate for which server and algorithm it has to print the corresponding Pass | Phrase to stdout. [...] Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How works the 'SSLPassPhraseDialog'
Jan Dries said: For example in C: int main(int argc, char** argv) { printf("xx"); // replace xx with your actual password. return 0; } Minor point, and perhaps off-topic here, but I'd strongly suggest avoiding such uses of the printf statement in general. Use the puts() statement if possible, or consider instead: printf( "%s", "xx" ); // replace xx with your actual password. This avoids any possible misinterpretation of arbitrary string "xx" as a formatting string, and hence unexpected (and possibly unhandled) runtime crashes. Steve (proponent of defensive C :-) -- Steve Fairhead - SFD - Solutions by Design www: http://www.sfdesign.co.uk -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How works the 'SSLPassPhraseDialog'
Hello I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any ideaof this program.Would you please post an example of this program to take it as pattern to make my customized one. Thanks in advance.
Re: How works the 'SSLPassPhraseDialog'
On Wed, Mar 22, 2000, Francisco Javier Martínez Martínez wrote: I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any idea of this program. Would you please post an example of this program to take it as pattern to make my customized one. The user manual makes it pretty clear how this program has to look, doesn't it? | exec:/path/to/program | Here an external program is configured which is called at startup for each | encrypted Private Key file. It is called with two arguments (the first is of the | form ``servername:portnumber'', the second is either ``RSA'' or ``DSA''), which | indicate for which server and algorithm it has to print the corresponding Pass | Phrase to stdout. [...] Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
The program is any program that outputs the password to the standard output, that is to the screen. For example in C: int main(int argc, char** argv) { printf("xx"); // replace xx with your actual password. return 0; } Another possibility is to use an executable script that just echoes the password. If all you're looking for is a way to make Apache start without intervention, this will do fine. But in a real world environment where security is a concern, you may want that program to be more sophisiticated. Regards, Jan Dries Francisco Javier Martínez Martínez wrote: Hello I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any idea of this program. Would you please post an example of this program to take it as pattern to make my customized one. Thanks in advance. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
In short, as I claim always, there is nothing good in PEM, because you can't eat the cake and have it. You either have an un-encrypted file, or you have an encrypted file - but with another program that outputs this password. And you don't have to look for this program - just look at the appropriate rc.d script... A hacker can copy your key, no matter if it is encrypted or not; It will just spend one more minute for him. The only use for this PEM, is when it is transferred via non-secure ways, for example when it is e-mailed, or stored in another computer. Or may I miss anything? -- Eli Marmor __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]