Bug#136052: marked as done (Cannot handle password protected keys)

To: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#136052: marked as done (Cannot handle password protected keys)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 30 Oct 2003 14:03:11 -0600
Message-id: <[🔎] handler.136052.D136052.106754389024116.ackdone@bugs.debian.org>
In-reply-to: <Pine.LNX.4.58.0310302055430.13268@trider-g7.ext.fabbione.net>
References: <Pine.LNX.4.58.0310302055430.13268@trider-g7.ext.fabbione.net> <200202271353.g1RDru4W027179@pcrz175.HRZ.Uni-Marburg.DE>

Your message dated Thu, 30 Oct 2003 20:57:55 +0100 (CET)
with message-id <Pine.LNX.4.58.0310302055430.13268@trider-g7.ext.fabbione.net>
and subject line closing bugs
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Feb 2002 13:54:34 +0000
>From gebhardt@hrz.uni-marburg.de Wed Feb 27 07:54:34 2002
Return-path: <gebhardt@hrz.uni-marburg.de>
Received: from hrz.uni-marburg.de [137.248.3.16] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16g4XS-0001KQ-00; Wed, 27 Feb 2002 07:54:34 -0600
Received: from pcrz175.HRZ.Uni-Marburg.DE (pcrz175.HRZ.Uni-Marburg.DE [137.248.3.134])
	by HRZ.Uni-Marburg.DE (8.11.2/8.11.2) with ESMTP id g1RDrvQ33666
	for <submit@bugs.debian.org>; Wed, 27 Feb 2002 14:53:57 +0100
Received: from hrz.uni-marburg.de (localhost [127.0.0.1])
	by pcrz175.HRZ.Uni-Marburg.DE (8.12.1/8.12.1/Debian -5) with ESMTP id g1RDru4W027179
	for <submit@bugs.debian.org>; Wed, 27 Feb 2002 14:53:56 +0100
Message-Id: <200202271353.g1RDru4W027179@pcrz175.HRZ.Uni-Marburg.DE>
X-Mailer: exmh version 2.3.1 01/18/2001 (debian 2.3.1-1) with nmh-1.0.4+dev
To: submit@bugs.debian.org
Subject: Cannot handle password protected keys
From: "Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE>
X-Pmrqc: 1
X-Confirm-Reading-To: gebhardt@hrz.uni-marburg.de
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 27 Feb 2002 14:53:56 +0100
Sender: gebhardt@HRZ.Uni-Marburg.DE
X-MailScanner: Found to be clean
Delivered-To: submit@bugs.debian.org

Package: apache-ssl
Version: 1.3.22.5+1.45-1
Severity: important

Hi,

it seems that apache-ssl/woody cannot handle password protected keys.
I discussed this in debian-security
(http://lists.debian.org/debian-security/2002/debian-security-200202/msg00210.h
tml) . Since no one could point out how to manage the problem, I conclude
that it is a flaw in the apache-ssl package.

Basically apache-ssl starts after prompting for the passphrase and
immediately dies with an error message that indicates that the server
key cannot be read (even if the passphrase was correct). I got this
behaviour on three systems that I upgraded from potato to testing.

How to reproduce the bug:

1. Install apache-ssl "apt-get install apache-ssl/testing" and
   let the postinst script create an selfsigned certificate,
   stored in /etc/apache-ssl/apache.pem

2. Test that the server works fine.

3. With a text editor split apache.pem into the certificate
   (cert.pem) and the key (key.pem). Redirect the symbolic link
   <hash>.0 from apache.pem to cert.pem in /etc/apache-ssl and
   edit httpd.conf:
   SSLCertificateFile /etc/apache-ssl/cert.pem
   SSLCertificateKeyFile /etc/apache-ssl/key.pem
   Make key.pem chmod 600 owned by root:root.

4. Check that the server still works fine.

5. Now provide a passphrase for the key file:
   # openssl rsa -des3 < key.pem > key-crypt.pem
   read RSA key
   writing RSA key
   Enter PEM pass phrase:
   Verifying password - Enter PEM pass phrase:
   # mv key-crypt.pem key.pem

   Make key.pem chmod 600 owned by root:root.

6. Try to start apache-ssl:
   ("/etc/init.d/apache-ssl start" won't work since isn't designed
    to work interactively)
   # /usr/sbin/apache-sslctl start
   Reading key for server <server>:443
   Enter PEM pass phrase:
   <enter passphrase here>
   Launching... /usr/lib/apache-ssl/gcache
   pid=26456
   /usr/sbin/apache-sslctl start: httpsd started

   Seems to be ok, but the server isn't working.

   The error log says something like

[Wed Feb 27 14:43:40 2002] [crit] (22)Invalid argument: Error reading private 
key file /etc/apache-ssl/key.pem:
[Wed Feb 27 14:43:40 2002] [crit] error:0906406D:PEM 
routines:DEF_CALLBACK:problems getting password
[Wed Feb 27 14:43:40 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad
password read

    But the passphrase was ok, you get a warning when you type in
    the wrong passphrase:
    # /usr/sbin/apache-sslctl start
    Reading key for server <server>:443
    Enter PEM pass phrase:
    Bad passphrase - try again
    Enter PEM pass phrase:

I would appreciate if that could be fixed before woody is released.
In many circumstances it is necessary to protect the key not only
by file permissions but also by cryptography.

Cheers, Thomas
   
-- 
Th. Gebhardt (gebhardt@hrz.uni-marburg.de)
---------------------------------------------------------------
HRZ, Hans Meerwein Strasse,        Phone: +49-6421/28-23572
D-35032 Marburg, Germany           Fax  :            -26994



---------------------------------------
Received: (at 136052-done) by bugs.debian.org; 30 Oct 2003 19:58:10 +0000
>From fabbione@fabbione.net Thu Oct 30 13:58:09 2003
Return-path: <fabbione@fabbione.net>
Received: from port5.ds1-sby.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.169.198] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AFIvn-0006Fr-00; Thu, 30 Oct 2003 13:58:07 -0600
Received: from trider-g7.ext.fabbione.net (unknown [212.242.169.198])
	by trider-g7.fabbione.net (Postfix) with ESMTP id 7BFFC16;
	Thu, 30 Oct 2003 20:58:05 +0100 (CET)
Date: Thu, 30 Oct 2003 20:57:55 +0100 (CET)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@trider-g7.ext.fabbione.net
To: 69122-done@bugs.debian.org, 136052-done@bugs.debian.org,
	215748-done@bugs.debian.org, 216286-done@bugs.debian.org
Subject: closing bugs
Message-ID: <Pine.LNX.4.58.0310302055430.13268@trider-g7.ext.fabbione.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: 136052-done@bugs.debian.org
X-Spam-Status: No, hits=0.0 required=4.0
	tests=none
	version=2.53-bugs.debian.org_2003_10_28
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_28 (1.174.2.15-2003-03-30-exp)


Hi,
	due to a typo in the changelog file these bugs have not been
closed automatically. They have been fixed with apache 1.3.28.0.1-1
upload.

Thanks
Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html

Reply to:

Prev by Date: Bug#215748: marked as done (apache-perl: Install turns 'mod_perl' DSO on by default - conflicts with statically linked mod_perl)
Next by Date: Bug#216286: marked as done (apache-common: mod_gzip not being enabled as requested, with 'modules-config apache')
Previous by thread: Bug#185157: marked as done (apache-common: ab provides no https support. ab does not belong in apache-common)
Next by thread: Bug#69122: marked as done (apache-ssl: should timeout when asking for ssl key)
Index(es):
- Date
- Thread