You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Yves Goergen <no...@unclassified.de> on 2015/01/08 20:25:28 UTC
[users@httpd] Ignore SSL key/certificate errors
Hello,
Currently, when I configure Apache web server for SSL and provide a
broken file for the key or certificate, the server fails to start
completely. Since I want to allow other users of my web server to upload
their own key/cert files for their VirtualHosts, I need to thoroughly
verify these files to prevent a failure of the entire web server.
Unfortunately, I don't know how I can do that verification. OpenSSL's
verify command doesn't care about private keys, but some changed
characters in it will break it, too.
Is there an easier option to let Apache deny all SSL requests for the
broken file's VirtualHost, and otherwise ignore the error? At least it
should not fail completely, that's a too drastic measure that cannot be
handled reasonably in an automatic way.
--
Yves Goergen
http://unclassified.software
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Ignore SSL key/certificate errors
Posted by Yves Goergen <no...@unclassified.de>.
Am 08.01.2015 um 20:59 schrieb Scott (firstclasswatches.co.uk):
> Found the below online. You should be able to run that to give you a
> good idea that nothing has been tampered with before allowing it into
> the config.
>
> ----- If everything matches (same modulus), the files are compatible. If
> not, One of the file is not linked to the others.
>
> openssl rsa -noout -modulus -in FILE.key
> openssl req -noout -modulus -in FILE.csr
> openssl x509 -noout -modulus -in FILE.cer
Thank you, that seems to catch the manipulations I made to my test file
that would also cause Apache to fail start up.
--
Yves Goergen
http://unclassified.software
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Ignore SSL key/certificate errors
Posted by Yves Goergen <no...@unclassified.de>.
Am 08.01.2015 um 20:59 schrieb Scott (firstclasswatches.co.uk):
> openssl rsa -noout -modulus -in FILE.key
> openssl x509 -noout -modulus -in FILE.cer
I noticed PHP has built-in methods for these tasks, so I might as well
call these and save me the temporary file or stdin/stdout handling for
the external process. My file validation is implemented in PHP (CLI) anyway.
--
Yves Goergen
http://unclassified.software
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Ignore SSL key/certificate errors
Posted by "Scott (firstclasswatches.co.uk)" <sc...@firstclasswatches.co.uk>.
Found the below online. You should be able to run that to give you a good
idea that nothing has been tampered with before allowing it into the config.
----- If everything matches (same modulus), the files are compatible. If
not, One of the file is not linked to the others.
openssl rsa -noout -modulus -in FILE.key
openssl req -noout -modulus -in FILE.csr
openssl x509 -noout -modulus -in FILE.cer
Kind Regards,
Scott
First Class Watches
9 Warwick Road
Kenilworth
CV8 1HD
Warwickshire
United Kingdom
On 8 January 2015 at 19:25, Yves Goergen <no...@unclassified.de>
wrote:
> Hello,
>
> Currently, when I configure Apache web server for SSL and provide a broken
> file for the key or certificate, the server fails to start completely.
> Since I want to allow other users of my web server to upload their own
> key/cert files for their VirtualHosts, I need to thoroughly verify these
> files to prevent a failure of the entire web server.
>
> Unfortunately, I don't know how I can do that verification. OpenSSL's
> verify command doesn't care about private keys, but some changed characters
> in it will break it, too.
>
> Is there an easier option to let Apache deny all SSL requests for the
> broken file's VirtualHost, and otherwise ignore the error? At least it
> should not fail completely, that's a too drastic measure that cannot be
> handled reasonably in an automatic way.
>
> --
> Yves Goergen
> http://unclassified.software
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>