[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#136052: apache-ssl in woody/stable can't use encrypted keys

Christoph Martin wrote:
Am Mit, 2002-08-07 um 17.20 schrieb Peter Watkins:

On Wed, Aug 07, 2002 at 05:10:33PM +0200, Christoph Martin wrote:

Am Son, 2002-08-04 um 02.13 schrieb Peter Watkins:

Hi, we found ourselves wrestling with this bug today after
upgrading a web server from potato to woody. What we ended
up doing, though we wish we didn't have to, is re-writing
the server key *without* a passphrase, and editing httpd.conf
to point to this new, "naked" server key.

Any idea when this might be fixed, or should we be switching
from apache-ssl to some other package, like apache + mod_ssl?

What is the difference of the bahaviour of the potato and the woody
version of apache-ssl? You can only use encrypted keys with apache-ssl
if you manually start the server. Then it would ask you for the key.
But this did not change.

The difference is that with potato's apache-ssl, we could provide the passphrase when manually starting the server, and it would be accepted.

Once we upgraded to potato's version of apache-ssl, we could not start the
server, not even manually, even though we provided the correct passphrase
(as we had done under potato). Instead we got error messages in the log file
very much like those reported by Thomas Gebhardt in this bug ticket back in
February. With woody's apache-ssl, we can only start the httpd if the server
ssl/tls key lacks a passphrase.

I looked somewhat deeper into that today. Reading of the passphrase for
encrypted keys works in version 1.3.9 of apache-ssl. At least beginning
with version 1.3.12 it stopped working. (I wonder why nobody else found
Some analysis gave me this:

Apache-SSL calls PEM_read_RSAPrivateKey to read the PrivateKey and
specifies no callback to read the passphrase. So the default-callback is
called which prompts "Enter PEM pass phrase:" and reads on /dev/tty.
strace shows that this is called *twice*. Once from the first apache-ssl
process which still has a tty. Here the passphrase is read and checked.
After that apache-ssl forks and tries to read the PrivateKey and
therefore the passphrase again. But this one fails, because there is no
tty. Which results in the following log:

[Thu Aug 8 17:23:11 2002] [crit] (22)Invalid argument: Error reading private key file /etc/apache-ssl/apachek.pem: [Thu Aug 8 17:23:11 2002] [crit] error:0906406D:PEM routines:DEF_CALLBACK:problems getting password
[Thu Aug  8 17:23:11 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad password read

strace gives:

19022 open("/dev/tty", O_RDONLY)        = 6
19022 write(2, "Enter PEM pass phrase:", 22) = 22
19022 read(6, "blubberr\n", 4096)       = 9


19024 open("/dev/tty", O_RDONLY)        = -1 ENXIO (No such device or address)
19024 write(2, "Enter PEM pass phrase:", 22) = 22
19024 read(0, "", 4096)                 = 0

Ben, do you know what the problem is?

The Apache configuration is read twice, once before detaching and once after. So, the second passphrase read is caused by the second config read. Of course, it'll also fail if Apache is restarted, which is why my advice is normally to not have a passphrase on the key (since its stored in memory in the Apache process, the value of passphrasing it is dubious in any case).



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Reply to: