Bug#136052: Cannot handle password protected keys
Package: apache-ssl
Version: 1.3.22.5+1.45-1
Severity: important
Hi,
it seems that apache-ssl/woody cannot handle password protected keys.
I discussed this in debian-security
(http://lists.debian.org/debian-security/2002/debian-security-200202/msg00210.h
tml) . Since no one could point out how to manage the problem, I conclude
that it is a flaw in the apache-ssl package.
Basically apache-ssl starts after prompting for the passphrase and
immediately dies with an error message that indicates that the server
key cannot be read (even if the passphrase was correct). I got this
behaviour on three systems that I upgraded from potato to testing.
How to reproduce the bug:
1. Install apache-ssl "apt-get install apache-ssl/testing" and
let the postinst script create an selfsigned certificate,
stored in /etc/apache-ssl/apache.pem
2. Test that the server works fine.
3. With a text editor split apache.pem into the certificate
(cert.pem) and the key (key.pem). Redirect the symbolic link
<hash>.0 from apache.pem to cert.pem in /etc/apache-ssl and
edit httpd.conf:
SSLCertificateFile /etc/apache-ssl/cert.pem
SSLCertificateKeyFile /etc/apache-ssl/key.pem
Make key.pem chmod 600 owned by root:root.
4. Check that the server still works fine.
5. Now provide a passphrase for the key file:
# openssl rsa -des3 < key.pem > key-crypt.pem
read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
# mv key-crypt.pem key.pem
Make key.pem chmod 600 owned by root:root.
6. Try to start apache-ssl:
("/etc/init.d/apache-ssl start" won't work since isn't designed
to work interactively)
# /usr/sbin/apache-sslctl start
Reading key for server <server>:443
Enter PEM pass phrase:
<enter passphrase here>
Launching... /usr/lib/apache-ssl/gcache
pid=26456
/usr/sbin/apache-sslctl start: httpsd started
Seems to be ok, but the server isn't working.
The error log says something like
[Wed Feb 27 14:43:40 2002] [crit] (22)Invalid argument: Error reading private
key file /etc/apache-ssl/key.pem:
[Wed Feb 27 14:43:40 2002] [crit] error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
[Wed Feb 27 14:43:40 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad
password read
But the passphrase was ok, you get a warning when you type in
the wrong passphrase:
# /usr/sbin/apache-sslctl start
Reading key for server <server>:443
Enter PEM pass phrase:
Bad passphrase - try again
Enter PEM pass phrase:
I would appreciate if that could be fixed before woody is released.
In many circumstances it is necessary to protect the key not only
by file permissions but also by cryptography.
Cheers, Thomas
--
Th. Gebhardt (gebhardt@hrz.uni-marburg.de)
---------------------------------------------------------------
HRZ, Hans Meerwein Strasse, Phone: +49-6421/28-23572
D-35032 Marburg, Germany Fax : -26994
Reply to: