You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/04/19 10:30:49 UTC
[Bug 66016] New: The passphrase for TLS private key password encryption is stored in plaintext
https://bz.apache.org/bugzilla/show_bug.cgi?id=66016
Bug ID: 66016
Summary: The passphrase for TLS private key password encryption
is stored in plaintext
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: 510584901@qq.com
Target Milestone: ---
The passphrase for TLS private key password encryption is stored in plaintext,
there is still risk of information leak, this does not comply with security
regulations of commercial scenarios. Maybe HTTPD should implement some more
secure way to store sensitive configurations.
https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
SSLCertificateFile /etc/server.crt
SSLCertificateKeyFile /etc/server.key
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</IfModule>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66016] The passphrase for TLS private key password encryption is stored in plaintext
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66016
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
I'm not sure what "password encryption is stored in plaintext" means.
With mod_ssl you can do any of:
a) use a plaintext-on-disk key file
b) use an encrypted-on-disk key file which is unencrypted in memory using a
passphrase supplied at startup
c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66016] The passphrase for TLS private key password encryption is stored in plaintext
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66016
--- Comment #2 from SkyFly222 <51...@qq.com> ---
(In reply to Joe Orton from comment #1)
> I'm not sure what "password encryption is stored in plaintext" means.
>
> With mod_ssl you can do any of:
>
> a) use a plaintext-on-disk key file
> b) use an encrypted-on-disk key file which is unencrypted in memory using a
> passphrase supplied at startup
> c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)
https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
SSLCertificateFile /etc/server.crt
SSLCertificateKeyFile /etc/server.key
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</IfModule>
When apache starts, /etc/server.key is plaintext(In reply to Joe Orton from
comment #1)
> I'm not sure what "password encryption is stored in plaintext" means.
>
> With mod_ssl you can do any of:
>
> a) use a plaintext-on-disk key file
> b) use an encrypted-on-disk key file which is unencrypted in memory using a
> passphrase supplied at startup
> c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org