[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#136052: apache-ssl in woody/stable can't use encrypted keys

Christoph Martin wrote:
Hi Ben,

Am Fre, 2002-09-27 um 15.55 schrieb Ben Laurie:

Thomas Gebhardt wrote:

Hi Ben,

The Apache configuration is read twice, once before detaching and once after. So, the second passphrase read is caused by the second config read. Of course, it'll also fail if Apache is restarted, which is why my advice is normally to not have a passphrase on the key (since its stored in memory in the Apache process, the value of passphrasing it is dubious in any case).

Isn't this the problem here? You said the configuration is read a second
time after detaching. And after detaching there is no tty to read from.

So I'm trying to figure out what to do. As Christoph pointed out,
the problem arises from reading the config file while already
being detached from the tty. Could you give us a hint how to fix
that? Which change in the code might have broken it? Password
protected keys worked well with potato apache-ssl and still work
with our Apache/1.3.26 Ben-SSL/1.48 (AIX) server, so there
seems to be a chance to fix the flaw in debian

I've lost the context here - wasn't this the problem that turned out to be some library closing stdin (in which case, even if I stop Apache-SSL from dying, you are still screwed, coz there's nowhere to read the passphrase from)? Or am I confused?

See above. How can you read from a tty if you have already detached?

OK, you should be able to disable this behaviour by compiling with NO_SETSID.

I _used_ to have some magic to avoid reading the key on the second initialisation, but it was fragile, and I guess no longer works.

In general, we advise against using passphrases because you can't protect the key with them (its in memory, decrypted, anyway), so any benefit they provide is pretty much illusory.



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Reply to: