Re: Problems with directive "SSLPassPhraseDialog" with a piped script

[Tom Browder <to...@gmail.com>]

On Fri, Feb 28, 2014 at 8:52 AM, Tom Browder <to...@gmail.com> wrote:
> On Fri, Feb 28, 2014 at 8:22 AM, Reindl Harald <h....@thelounge.net> wrote:
>> Am 28.02.2014 14:18, schrieb Tom Browder:
>>> On Fri, Feb 28, 2014 at 8:10 AM, Reindl Harald <h....@thelounge.net> wrote:
>>>>> Am 28.02.2014 14:01, schrieb Tom Browder:
>>> I agree, but even so shouldn't the pipe method work though it may be
>>> less strict?
>>
>> i don#t know nor care because i used the exec variant in
>> production in the past, it worked fine and AFAIR with $1
>> you get the hostname to echo the correct password if there
>> are more than one certificates involved
>
> That's the way I read the docs, too.
>
> I have just the one cert good for multiple vhosts so it should work.

So, shall I file a bug or not?

-Tom

Re: Problems with directive "SSLPassPhraseDialog" with a piped script

[Tom Browder <to...@gmail.com>]

On Mon, Mar 3, 2014 at 11:21 AM, Tom Browder <to...@gmail.com> wrote:
> On Mon, Mar 3, 2014 at 10:38 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
>> Tom,
>>
>> this code is shared with all the other pipe features in httpd, I

I've tried each of these versions to no avail:

   SSLPassPhraseDialog     |/path/to/passphrase.sh
   SSLPassPhraseDialog     |$/path/to/passphrase.sh
   SSLPassPhraseDialog     |\$/path/to/passphrase.sh
   SSLPassPhraseDialog     "|/path/to/passphrase.sh"
   SSLPassPhraseDialog     "|$/path/to/passphrase.sh"
   SSLPassPhraseDialog     "|\$/path/to/passphrase.sh"

I also changed the passphrase.sh script to require an argument (any argument).

I must be doing something wrong (my weak understanding of pipes).

Someone who can demonstrate the pipe method successfully should
document exactly how to do it.

In any event, I agree with Reindl Harald: "SSLPassPhraseDialog
exec:/path/to/passphrase.sh is your friend."

Best regards,

-Tom

Re: Problems with directive "SSLPassPhraseDialog" with a piped script

[Tom Browder <to...@gmail.com>]

On Mon, Mar 3, 2014 at 10:38 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> Tom,
>
> this code is shared with all the other pipe features in httpd, I
> believe the docs at
> http://httpd.apache.org/docs/current/logs.html#piped will explain why
> the shell was
> not invoked, and provides an example of how to invoke your pipe script
> with shell.

Ah, that '$' may be the ticket.  I'll try that and see if it works.

Given that it works, is there any inherent advantage (security-wise or
other) of the pipe vs. exec for returning the key passphrase at start
up?

Also, if it works, I'll comment at the appropriate place in the docs.

Thanks, Bill.

Best regards,

-Tom

Re: Problems with directive "SSLPassPhraseDialog" with a piped script

["William A. Rowe Jr." <wm...@gmail.com>]

Tom,

this code is shared with all the other pipe features in httpd, I
believe the docs at
http://httpd.apache.org/docs/current/logs.html#piped will explain why
the shell was
not invoked, and provides an example of how to invoke your pipe script
with shell.

You can use the docs commentary system to submit feedback on the mod_ssl
doc page, if this solves your issue.

Bill



On Fri, Feb 28, 2014 at 6:33 PM, Tom Browder <to...@gmail.com> wrote:
> On Fri, Feb 28, 2014 at 8:52 AM, Tom Browder <to...@gmail.com> wrote:
>> On Fri, Feb 28, 2014 at 8:22 AM, Reindl Harald <h....@thelounge.net> wrote:
>>> Am 28.02.2014 14:18, schrieb Tom Browder:
>>>> On Fri, Feb 28, 2014 at 8:10 AM, Reindl Harald <h....@thelounge.net> wrote:
>>>>>> Am 28.02.2014 14:01, schrieb Tom Browder:
>>>> I agree, but even so shouldn't the pipe method work though it may be
>>>> less strict?
>>>
>>> i don#t know nor care because i used the exec variant in
>>> production in the past, it worked fine and AFAIR with $1
>>> you get the hostname to echo the correct password if there
>>> are more than one certificates involved
>>
>> That's the way I read the docs, too.
>>
>> I have just the one cert good for multiple vhosts so it should work.
>
> So, shall I file a bug or not?
>
> -Tom