You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/04/17 23:29:38 UTC
DO NOT REPLY [Bug 51075] New: Add support for TLS-SRP (RFC 5054)
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
Summary: Add support for TLS-SRP (RFC 5054)
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: sqs@cs.stanford.edu
TLS-SRP (RFC 5054)[1] is an implementation of the Secure Remote Password
(SRP)[2] protocol as a key exchange method for TLS. It uses a shared secret
derived from a user's password to supplement or replace third-party
certificates in setting up a TLS connection.
This patch adds TLS-SRP support to mod_ssl, adds two new directives
(SSLSRPVerifierFile and SSLSRPUnknownUserSeed), adds two new SSL env vars
(SSL_SRP_USER and SSL_SRP_USERINFO), and includes basic documentation.
The TLS-SRP-specific code uses preprocessor guards on OPENSSL_NO_SRP and is
enabled only if OpenSSL >= 1.0.1, which is the first version of OpenSSL that
will include SRP support[3].
To use this patch:
(1) install OpenSSL 1.0.1;
(2) create an OpenSSL SRP verifier (passwd) file with `openssl srp -srpvfile
passwd.srpv -add username`;
(3) specify this file in the server config with: SSLSRPVerifierFile
/path/to/passwd.srpv
(4) optionally, for easier testing, force the use of SRP: SSLCipherSuite
"!DSS:!aRSA:SRP"
To test the TLS-SRP functionality, use gnutls-cli or a version of cURL with
TLS-SRP support:
gnutls-cli --srpusername user --srppasswd secret host
curl --tlsuser user --tlspassword secret -k https://host
TLS-SRP support for Apache is already provided by mod_gnutls[4]. Now that PAKE
patents have expired and the security of CAs is increasingly being doubted,
TLS-SRP is gaining wider acceptance. GnuTLS, mod_gnutls, and TLSLite have
supported it for years; cURL since February; OpenSSL will support it in the
next release; and I have also assembled patches[5] for Chrome, Firefox, and
NSS.
This patch was originally created by Christophe Renou and Peter Sylvester of
EdelWeb. I updated it to work with Apache 2's mod_ssl.
[1] http://tools.ietf.org/html/rfc5054
[2] http://srp.stanford.edu/
[3] http://cvs.openssl.org/chngview?cn=20484
[4] http://trustedhttp.org/wiki/TLS-SRP_in_Apache_mod_gnutls
[5] http://trustedhttp.org/
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 51075] Add support for TLS-SRP (RFC 5054)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
--- Comment #2 from Stefan Fritsch <sf...@sfritsch.de> ---
(In reply to comment #0)
> This patch was originally created by Christophe Renou and Peter Sylvester of
> EdelWeb. I updated it to work with Apache 2's mod_ssl.
You do have permission to submit the patch under the Apache License, don't you?
Some more questions: Is there any documentation for the openssl interface
available somewhere? Do you know why SRP_VBASE_init() and SRP_VBASE_new() take
char* as argument and not const char*?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 51075] Add support for TLS-SRP (RFC 5054)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Stefan Fritsch <sf...@sfritsch.de> ---
fixed in 2.4.4
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51075] Add support for TLS-SRP (RFC 5054)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
Quinn Slack <sq...@cs.stanford.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
URL| |http://trustedhttp.org/wiki
| |/TLS-SRP_in_Apache_mod_ssl
CC| |sqs@cs.stanford.edu
OS/Version|Linux |All
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 51075] Add support for TLS-SRP (RFC 5054)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
--- Comment #4 from Peter Sylvester <pe...@edelweb.fr> ---
(In reply to comment #2)
> (In reply to comment #0)
> > This patch was originally created by Christophe Renou and Peter Sylvester of
> > EdelWeb. I updated it to work with Apache 2's mod_ssl.
good.
>
> You do have permission to submit the patch under the Apache License, don't
> you?
I hereby confirm that this is the case.
>
> Some more questions: Is there any documentation for the openssl interface
> available somewhere? Do you know why SRP_VBASE_init() and SRP_VBASE_new()
> take char* as argument and not const char*?
The original version was made before the "const"ification attempts in openssl.
IMO, the srp_vbase stuff should not be used. Instead a dynamic approach,
reading
from an LDAP or database can be used to retrieve a verifier. this can be done
without blocking.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51075] Add support for TLS-SRP (RFC 5054)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
--- Comment #1 from Quinn Slack <sq...@cs.stanford.edu> 2011-04-17 17:34:00 EDT ---
Created an attachment (id=26892)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26892)
add TLS-SRP (RFC 5054) support to mod_ssl
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 51075] Add support for TLS-SRP (RFC 5054)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51075
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
--- Comment #3 from Stefan Fritsch <sf...@sfritsch.de> ---
Committed as r1347980 to trunk. Thanks for the patch.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org