On Thu, Nov 26, 2009 at 01:25:28PM +1100, Simon Horman wrote:
On Fri, Nov 13, 2009 at 09:52:28AM -0600, Aaron
Thoreson wrote:
I apologize if this has been covered. The
signal-to-noise ration in my
Google searching and GMANE/MARC searching didn't lead me to good results...
I see a few posts from ~2004 regarding passphrase protected SSL keys.
Mr. Horms indicated that he thought it ought to work, but was unable to
devote effort at the time, being 'snowed under' :)
Was this functionality added? I see in the .c code some callbacks to
the ctx 'passphrase' parts of libssl but can't tell where it's getting
sent along, if at all.
Can anyone provide tips?
Hi Aaron,
I think that the situation is that support to read the passphrase is
there but in practice it isn't entirely useful as there is no
prompt provided. The result being that it isn't obvious that
perdition is waiting for the input or a passphrase from stdin.
I'll see about resolving that.
It seems that it would also be useful to provide other methods
of supplying the passphrase. Perhaps something along the lines
of the --passphrase-fd, --passphrase-file and --passphrase options
of gpg.
Hi,
I have committed the following changesets to
http://hg.vergenet.net/perdition/perdition/ which
should improve the situation in regards to passphrases.
In particular:
* A prompt is now provided
* The passphrase is read before disconnecting from the controlling tty
* The passphrase may be read from a non-tty
* ssl_passphrase_fd and ssl_passphrase_file configuration parameters have
been added
changeset: 712:8e7df5ad876c
tag: tip
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: ssl: Add ssl_passphrase-file configuration parameter
changeset: 711:cfea5820e966
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: ssl: Common error path for perdition_ssl_ctx()
changeset: 710:6c1e46c0ccfe
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: ssl: Add ssl_passphrase_fd configuration parameter
changeset: 709:ad2ae65a5724
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: perdition: introduce opt_err() and opt_err_digit()
changeset: 708:f6a375ff7866
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: perdition: read the SSL passphrase before daemonising
changeset: 707:4ffbf19c59ec
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: perdition: log options before initialising SSL
changeset: 706:17b26e00cebc
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: perdition: Break logger initialisation out
changeset: 705:0f0c35198c78
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:30 2009 +1100
summary: ssl: allow passphrase to be read from a non-tty
changeset: 704:21bf78a8c054
user: Simon Horman <horms(a)verge.net.au>
date: Thu Dec 03 17:26:29 2009 +1100
summary: ssl: Prompt for passphrase