FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 01-15-2012, 10:09 AM
Audric Schiltknecht
 
Default Lighttpd and passphrase protected SSL certificate

Hi guys,

I just have switched my webserver from debian to arch. However, I ran into
some tricks with one of my sites which uses a passphrase protected SSL
certificate. Indeed, because of the way lighttpd is currently started, it
is not possible to enter the passphrase for such certificates.
For the moment, I have to start lighttd without using its rc script, which
saddens me a little.

Do you guys think this is worth opening a request feature in the arch
bugtracker ?

Thanks,
Audric
 
Old 01-15-2012, 12:11 PM
Sven-Hendrik Haase
 
Default Lighttpd and passphrase protected SSL certificate

Audric Schiltknecht <chemicalstorm@gmail.com> wrote:

>Hi guys,
>
>I just have switched my webserver from debian to arch. However, I ran
>into
>some tricks with one of my sites which uses a passphrase protected SSL
>certificate. Indeed, because of the way lighttpd is currently started,
>it
>is not possible to enter the passphrase for such certificates.
>For the moment, I have to start lighttd without using its rc script,
>which
>saddens me a little.
>
>Do you guys think this is worth opening a request feature in the arch
>bugtracker ?
>
>Thanks,
>Audric

Depends. How does upstream suggest it to be done?

If upstream it should be entered during startup and our script doesn't allow for that then a bug report is the way to go.

-- Sven-Hendrik
 
Old 01-15-2012, 03:38 PM
Audric Schiltknecht
 
Default Lighttpd and passphrase protected SSL certificate

Le 15 janvier 2012 14:11, Sven-Hendrik Haase <sh@lutzhaase.com> a écrit :

> Audric Schiltknecht <chemicalstorm@gmail.com> wrote:
>
> >Hi guys,
> >
> >I just have switched my webserver from debian to arch. However, I ran
> >into
> >some tricks with one of my sites which uses a passphrase protected SSL
> >certificate. Indeed, because of the way lighttpd is currently started,
> >it
> >is not possible to enter the passphrase for such certificates.
> >For the moment, I have to start lighttd without using its rc script,
> >which
> >saddens me a little.
> >
>
> Depends. How does upstream suggest it to be done?
>

Upstream says (http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL) that
the SSL password must be enter manually on each lighttpd start (or to
remove the passwod from the key file, which I don't want to do )


> If upstream it should be entered during startup and our script doesn't
> allow for that then a bug report is the way to go.
>

Ok, so I will fill a bug.

Thanks !
 
Old 01-15-2012, 03:40 PM
Sven-Hendrik Haase
 
Default Lighttpd and passphrase protected SSL certificate

On 01/15/2012 05:38 PM, Audric Schiltknecht wrote:
> Le 15 janvier 2012 14:11, Sven-Hendrik Haase <sh@lutzhaase.com> a écrit :
>
>> Audric Schiltknecht <chemicalstorm@gmail.com> wrote:
>>
>>> Hi guys,
>>>
>>> I just have switched my webserver from debian to arch. However, I ran
>>> into
>>> some tricks with one of my sites which uses a passphrase protected SSL
>>> certificate. Indeed, because of the way lighttpd is currently started,
>>> it
>>> is not possible to enter the passphrase for such certificates.
>>> For the moment, I have to start lighttd without using its rc script,
>>> which
>>> saddens me a little.
>>>
>> Depends. How does upstream suggest it to be done?
>>
> Upstream says (http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL) that
> the SSL password must be enter manually on each lighttpd start (or to
> remove the passwod from the key file, which I don't want to do )
>
>
>> If upstream it should be entered during startup and our script doesn't
>> allow for that then a bug report is the way to go.
>>
> Ok, so I will fill a bug.
>
> Thanks !
If this was added to the rc.d file and you start the server at boot, it
would hang indefinitely, waiting for input. It should have a timeout in
that case. But what about if you start it in background? There is more
to this in order to make it sensible.
 
Old 01-15-2012, 05:58 PM
Mauro Santos
 
Default Lighttpd and passphrase protected SSL certificate

On 15-01-2012 16:38, Audric Schiltknecht wrote:
>
> Upstream says (http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL) that
> the SSL password must be enter manually on each lighttpd start (or to
> remove the passwod from the key file, which I don't want to do )

Just out of curiosity (and maybe learn something) why not? If you have
the certificate and the password stored together then I'd say the
password is not protecting much.

--
Mauro Santos
 
Old 01-15-2012, 07:07 PM
C Anthony Risinger
 
Default Lighttpd and passphrase protected SSL certificate

On Jan 15, 2012 12:58 PM, "Mauro Santos"
<registo.mailling<registo.mailling@gmail.com>
@ <registo.mailling@gmail.com>gmail.com <registo.mailling@gmail.com>> wrote:
>
> On 15-01-2012 16:38, Audric Schiltknecht wrote:
> >
> > Upstream says (http://<http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
redmine.lighttpd.net <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
/projects/1/wiki/ <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
Docs:SSL <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>) that
> > the SSL password must be enter manually on each lighttpd start (or to
> > remove the passwod from the key file, which I don't want to do )
>
> Just out of curiosity (and maybe learn something) why not? If you have
> the certificate and the password stored together then I'd say the
> password is not protecting much.

I'm not aware of a reason to lock the keyfile ... fairly standard AFAIK.

Though if you wanted to get fancy, you could probably store the pass in the
kernel and use some request-key/keyctl trickery to pull it out when needed
... would need to be loaded at least once on boot, but its the same place
SSH/GPG keeps your keys IIRC, so it's safe ...

... maybe enc the password with your TPM, then decrypt into kernel keyring,
then load into openssl when requested ... :-O

Or just unlock the keyfile.

--

C Anthony
 

Thread Tools




All times are GMT. The time now is 11:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org