[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#136052: apache-ssl in woody/stable can't use encrypted keys

Am Mit, 2002-08-07 um 17.20 schrieb Peter Watkins:
> On Wed, Aug 07, 2002 at 05:10:33PM +0200, Christoph Martin wrote:
> > Am Son, 2002-08-04 um 02.13 schrieb Peter Watkins:
> > > Hi, we found ourselves wrestling with this bug today after
> > > upgrading a web server from potato to woody. What we ended
> > > up doing, though we wish we didn't have to, is re-writing
> > > the server key *without* a passphrase, and editing httpd.conf
> > > to point to this new, "naked" server key.
> > > Any idea when this might be fixed, or should we be switching
> > > from apache-ssl to some other package, like apache + mod_ssl?
> > 
> > What is the difference of the bahaviour of the potato and the woody
> > version of apache-ssl? You can only use encrypted keys with apache-ssl
> > if you manually start the server. Then it would ask you for the key. 
> > 
> > But this did not change.
> The difference is that with potato's apache-ssl, we could provide the 
> passphrase when manually starting the server, and it would be accepted.
> Once we upgraded to potato's version of apache-ssl, we could not start the
> server, not even manually, even though we provided the correct passphrase
> (as we had done under potato). Instead we got error messages in the log file
> very much like those reported by Thomas Gebhardt in this bug ticket back in
> February. With woody's apache-ssl, we can only start the httpd if the server
> ssl/tls key lacks a passphrase.

I looked somewhat deeper into that today. Reading of the passphrase for
encrypted keys works in version 1.3.9 of apache-ssl. At least beginning
with version 1.3.12 it stopped working. (I wonder why nobody else found

Some analysis gave me this:

Apache-SSL calls PEM_read_RSAPrivateKey to read the PrivateKey and
specifies no callback to read the passphrase. So the default-callback is
called which prompts "Enter PEM pass phrase:" and reads on /dev/tty.
strace shows that this is called *twice*. Once from the first apache-ssl
process which still has a tty. Here the passphrase is read and checked.
After that apache-ssl forks and tries to read the PrivateKey and
therefore the passphrase again. But this one fails, because there is no
tty. Which results in the following log:

[Thu Aug  8 17:23:11 2002] [crit] (22)Invalid argument: Error reading private key file /etc/apache-ssl/apachek.pem: 
[Thu Aug  8 17:23:11 2002] [crit] error:0906406D:PEM routines:DEF_CALLBACK:problems getting password
[Thu Aug  8 17:23:11 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad password read

strace gives:

19022 open("/dev/tty", O_RDONLY)        = 6
19022 write(2, "Enter PEM pass phrase:", 22) = 22
19022 read(6, "blubberr\n", 4096)       = 9


19024 open("/dev/tty", O_RDONLY)        = -1 ENXIO (No such device or address)
19024 write(2, "Enter PEM pass phrase:", 22) = 22
19024 read(0, "", 4096)                 = 0

Ben, do you know what the problem is?


Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Reply to: