Anyone interested in a freelance opportunity?

[Daniel Ruggeri <dr...@primary.net>]

Hi, all;
   I was approached to see if I would be interested/willing to work on code to support encrypted client keys for the proxy. Unfortunately, I had to pass since I just don't have the time, but figured I'd reach out here to see if anyone here has the time/expertise/interest.

   I know it's an odd thing to ask, but thought it's worth bringing up because I'd personally love to see this functionality :-)

Feel free to reply directly to me if you don't want to share with the list.
-- 
Daniel Ruggeri

Re: Anyone interested in a freelance opportunity?

[Daniel Ruggeri <dr...@primary.net>]

On February 22, 2019 5:03:43 AM CST, Ruediger Pluem <rp...@apache.org> wrote:
>
>
>On 02/21/2019 12:46 AM, Daniel Ruggeri wrote:
>> Hi, all;
>> I was approached to see if I would be interested/willing to work on
>code to support encrypted client keys for the proxy.
>
>You mean encrypted private keys for SSL client authentication?
>You might remember that discussion from 2013 then where you took part:
>
>https://lists.apache.org/thread.html/5d4fbc62cb07a3550af4f516d007973c385389cace202d217f6b74c1@1384351589@%3Cdev.httpd.apache.org%3E

Yes, indeed. That thread is in a similar neighborhood... but is more focused on the idea of removing the functionality. It feels like ages ago we discussed that. I had all but forgotten about that thread!

My own opinion on the topic is mostly unchanged:
I agree with Joe's assertion that sometimes folks are bound to "the checklist". Whether that be from an auditor, security policy or some other form of edict passed upon the server admin team, it's their job to comply. At least in the large enterprises I've sampled, the response is usually: "Don't care. The policy says <foo>. Fix it." It'd be a shame if we cannot serve those poor server admins... they already have the cards stacked against them anyway. In the meantime since that thread, it also seems "that other web server" has added support for encrypted keys with passphrase coming from a file.

I don't intend to spark the debate again with this reply. We CAN do that in another thread as I don't think we found consensus across the project and/or there's not enough interest to change current inertia. After all... the doers will do :-) I'm just hoping the above adds context to why I personally would like to see the capability.

>
>
>Regards
>
>Rüdiger

Re: Anyone interested in a freelance opportunity?

[Stefan Eissing <st...@greenbytes.de>]

> Am 22.02.2019 um 12:03 schrieb Ruediger Pluem <rp...@apache.org>:
> 
> 
> 
> On 02/21/2019 12:46 AM, Daniel Ruggeri wrote:
>> Hi, all;
>> I was approached to see if I would be interested/willing to work on code to support encrypted client keys for the proxy.
> 
> You mean encrypted private keys for SSL client authentication?
> You might remember that discussion from 2013 then where you took part:
> 
> https://lists.apache.org/thread.html/5d4fbc62cb07a3550af4f516d007973c385389cace202d217f6b74c1@1384351589@%3Cdev.httpd.apache.org%3E

Interesting. Thanks, Rüdiger.

In mod_md, there is no mechanism besides file permissions to protect private keys of server certificates. However, new keys, generated  as less-privileged user, are stored encrypted. When the server reloads and copies them into a "root" form they are converted to unencrypted. The passphrase sits in memory during this time, because.

Generic security scenarios where the attacker gets root access to file system / memory rapidly become unconstructive, I find. One needs to focus on a more specific scenarios and requirements to get anywhere.

-Stefan

Re: Anyone interested in a freelance opportunity?

[Ruediger Pluem <rp...@apache.org>]

On 02/21/2019 12:46 AM, Daniel Ruggeri wrote:
> Hi, all;
> I was approached to see if I would be interested/willing to work on code to support encrypted client keys for the proxy.

You mean encrypted private keys for SSL client authentication?
You might remember that discussion from 2013 then where you took part:

https://lists.apache.org/thread.html/5d4fbc62cb07a3550af4f516d007973c385389cace202d217f6b74c1@1384351589@%3Cdev.httpd.apache.org%3E


Regards

Rüdiger

Re: Anyone interested in a freelance opportunity?

[Eric Covener <co...@gmail.com>]

> PS. I do not find it weird at all to ask here. I see really no difference between an employee intended to put time into open source vs. a person hired for a certain development in an open source project. And I do not feel that we are competing here, either. That'd be a different thing indeed.

+1

Re: Anyone interested in a freelance opportunity?

[Stefan Eissing <st...@greenbytes.de>]

> Am 21.02.2019 um 00:46 schrieb Daniel Ruggeri <dr...@primary.net>:
> 
> Hi, all;
> I was approached to see if I would be interested/willing to work on code to support encrypted client keys for the proxy. Unfortunately, I had to pass since I just don't have the time, but figured I'd reach out here to see if anyone here has the time/expertise/interest.
> 
> I know it's an odd thing to ask, but thought it's worth bringing up because I'd personally love to see this functionality :-)
> 
> Feel free to reply directly to me if you don't want to share with the list.

It's no secret that I sometimes take money for developing free software. I have some openings later this year. If this fits the time frame and going via a German company is not weird, feel free to forward my name and email.

Cheers,

Stefan

PS. I do not find it weird at all to ask here. I see really no difference between an employee intended to put time into open source vs. a person hired for a certain development in an open source project. And I do not feel that we are competing here, either. That'd be a different thing indeed.