You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2013/12/03 01:30:35 UTC
[jira] [Commented] (TS-2353) add ability to load ssl certs that are
owned by root and only read only by the user
[ https://issues.apache.org/jira/browse/TS-2353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837135#comment-13837135 ]
James Peach commented on TS-2353:
---------------------------------
[~bcall] and I discussed this on IRC a few days ago. IMHO, the right solution is to factor out a privileged helper to vend SSL keys to {{traffic_server}}. This would be more work but would address the problem much more generally. For example, I have a deployment system where traffic_cop runs as an unprivileged user, so elevating to root doesn't help.
If we *must* elevate to root, we should use the APIs in {{lib/ts/ink_cap.cc}}.
> add ability to load ssl certs that are owned by root and only read only by the user
> -----------------------------------------------------------------------------------
>
> Key: TS-2353
> URL: https://issues.apache.org/jira/browse/TS-2353
> Project: Traffic Server
> Issue Type: Improvement
> Components: HTTP
> Reporter: Bryan Call
> Attachments: ssl-start-as-root.patch
>
>
> [Nov 15 01:11:23.748] Server {0x2aaff3cb33a0} ERROR:
> SSL::0:error:0200100D:system library:fopen:Permission
> denied:bss_file.c:355:fopen('/****/search.crt','r')
> [Nov 15 01:11:23.748] Server {0x2aaff3cb33a0} ERROR:
> SSL::0:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
> [Nov 15 01:11:23.748] Server {0x2aaff3cb33a0} ERROR:
> SSL::0:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
> lib:ssl_rsa.c:470:
--
This message was sent by Atlassian JIRA
(v6.1#6144)