Bug#136052: Cannot handle password protected keys

To: submit@bugs.debian.org
Subject: Bug#136052: Cannot handle password protected keys
From: "Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE>
Date: Wed, 27 Feb 2002 14:53:56 +0100
Message-id: <[🔎] 200202271353.g1RDru4W027179@pcrz175.HRZ.Uni-Marburg.DE>
Reply-to: "Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE>, 136052@bugs.debian.org

Package: apache-ssl
Version: 1.3.22.5+1.45-1
Severity: important

Hi,

it seems that apache-ssl/woody cannot handle password protected keys.
I discussed this in debian-security
(http://lists.debian.org/debian-security/2002/debian-security-200202/msg00210.h
tml) . Since no one could point out how to manage the problem, I conclude
that it is a flaw in the apache-ssl package.

Basically apache-ssl starts after prompting for the passphrase and
immediately dies with an error message that indicates that the server
key cannot be read (even if the passphrase was correct). I got this
behaviour on three systems that I upgraded from potato to testing.

How to reproduce the bug:

1. Install apache-ssl "apt-get install apache-ssl/testing" and
   let the postinst script create an selfsigned certificate,
   stored in /etc/apache-ssl/apache.pem

2. Test that the server works fine.

3. With a text editor split apache.pem into the certificate
   (cert.pem) and the key (key.pem). Redirect the symbolic link
   <hash>.0 from apache.pem to cert.pem in /etc/apache-ssl and
   edit httpd.conf:
   SSLCertificateFile /etc/apache-ssl/cert.pem
   SSLCertificateKeyFile /etc/apache-ssl/key.pem
   Make key.pem chmod 600 owned by root:root.

4. Check that the server still works fine.

5. Now provide a passphrase for the key file:
   # openssl rsa -des3 < key.pem > key-crypt.pem
   read RSA key
   writing RSA key
   Enter PEM pass phrase:
   Verifying password - Enter PEM pass phrase:
   # mv key-crypt.pem key.pem

   Make key.pem chmod 600 owned by root:root.

6. Try to start apache-ssl:
   ("/etc/init.d/apache-ssl start" won't work since isn't designed
    to work interactively)
   # /usr/sbin/apache-sslctl start
   Reading key for server <server>:443
   Enter PEM pass phrase:
   <enter passphrase here>
   Launching... /usr/lib/apache-ssl/gcache
   pid=26456
   /usr/sbin/apache-sslctl start: httpsd started

   Seems to be ok, but the server isn't working.

   The error log says something like

[Wed Feb 27 14:43:40 2002] [crit] (22)Invalid argument: Error reading private 
key file /etc/apache-ssl/key.pem:
[Wed Feb 27 14:43:40 2002] [crit] error:0906406D:PEM 
routines:DEF_CALLBACK:problems getting password
[Wed Feb 27 14:43:40 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad
password read

    But the passphrase was ok, you get a warning when you type in
    the wrong passphrase:
    # /usr/sbin/apache-sslctl start
    Reading key for server <server>:443
    Enter PEM pass phrase:
    Bad passphrase - try again
    Enter PEM pass phrase:

I would appreciate if that could be fixed before woody is released.
In many circumstances it is necessary to protect the key not only
by file permissions but also by cryptography.

Cheers, Thomas
   
-- 
Th. Gebhardt (gebhardt@hrz.uni-marburg.de)
---------------------------------------------------------------
HRZ, Hans Meerwein Strasse,        Phone: +49-6421/28-23572
D-35032 Marburg, Germany           Fax  :            -26994

Reply to:

Prev by Date: Bug#135635: apache-ssl: infinate conf directories
Next by Date: [ANNOUNCE] Debian packages for 2.0.32
Previous by thread: Bug#135635: apache-ssl: infinate conf directories
Next by thread: [ANNOUNCE] Debian packages for 2.0.32
Index(es):
- Date
- Thread