You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/04/19 10:30:49 UTC

[Bug 66016] New: The passphrase for TLS private key password encryption is stored in plaintext

https://bz.apache.org/bugzilla/show_bug.cgi?id=66016

            Bug ID: 66016
           Summary: The passphrase for TLS private key password encryption
                    is stored in plaintext
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: 510584901@qq.com
  Target Milestone: ---

The passphrase for TLS private key password encryption is stored in plaintext,
there is still risk of information leak, this does not comply with security
regulations of commercial scenarios. Maybe HTTPD should implement some more
secure way to store sensitive configurations.

https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol TLSv1.2
        SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
        SSLCertificateFile /etc/server.crt
        SSLCertificateKeyFile /etc/server.key
        SSLVerifyDepth 10
        SSLOptions +StdEnvVars
    </IfModule>

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66016] The passphrase for TLS private key password encryption is stored in plaintext

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66016

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Joe Orton <jo...@redhat.com> ---
I'm not sure what "password encryption is stored in plaintext" means.

With mod_ssl you can do any of:

a) use a plaintext-on-disk key file
b) use an encrypted-on-disk key file which is unencrypted in memory using a
passphrase supplied at startup
c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66016] The passphrase for TLS private key password encryption is stored in plaintext

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66016

--- Comment #2 from SkyFly222 <51...@qq.com> ---
(In reply to Joe Orton from comment #1)
> I'm not sure what "password encryption is stored in plaintext" means.
> 
> With mod_ssl you can do any of:
> 
> a) use a plaintext-on-disk key file
> b) use an encrypted-on-disk key file which is unencrypted in memory using a
> passphrase supplied at startup
> c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)

https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol TLSv1.2
        SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
        SSLCertificateFile /etc/server.crt
        SSLCertificateKeyFile /etc/server.key
        SSLVerifyDepth 10
        SSLOptions +StdEnvVars
    </IfModule>

When apache starts, /etc/server.key is plaintext(In reply to Joe Orton from
comment #1)
> I'm not sure what "password encryption is stored in plaintext" means.
> 
> With mod_ssl you can do any of:
> 
> a) use a plaintext-on-disk key file
> b) use an encrypted-on-disk key file which is unencrypted in memory using a
> passphrase supplied at startup
> c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org