[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] SSL key passwords
From: |
Christian Grothoff |
Subject: |
Re: [libmicrohttpd] SSL key passwords |
Date: |
Sun, 08 Feb 2015 01:38:49 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.3.0 |
Hi!
Thanks for the suggestion. I've added an equivalent patch in SVN 35146.
The main changes from your patch include updating the manual and
ChangeLog and NULL-ing the "https_key_password" pointer after
initialization.
The documentation also makes it explicit that the password is ONLY used
during "MHD_start_daemon()" and that thus the application is free to
erase it from memory afterwards (which I would consider good practice).
If you send patches in the future, I'd appreciate it if you could use
attachments, as e-mail tends to garble them.
Happy hacking!
Christian
On 02/07/2015 06:14 AM, Andrew Basile wrote:
> In one of my projects, we are using MHD and need to support SSL encrypted
> private keys, with passwords. I ended up modifying the MHD code to support
> propagating, in addition to an SSL certificate and key, an SSL key password
> through to GnuTLS. With some relatively simple changes in place, the option
> MHD_OPTION_HTTPS_KEY_PASSWORD can be used when calling MHD_start_daemon() to
> specify a const char * password string. Also, another debug message is added
> in order to report the code returned by GnuTLS in the event the SSL
> certificate/key cannot be processed.
>
> Following are my code diffs, relative to the 0.9.39 release. Hopefully they
> can be vetted by the primary author(s) of this codebase and incorporated into
> a future MHD release. Thank you.
>
> $ diff src/include/microhttpd.h.orig src/include/microhttpd.h
> 865a866,873
>>
>> /**
>> * Memory pointer for a password that decrypts the private key (key.pem)
>> * to be used by the HTTPS daemon. This option should be followed by a
>> * `const char *` argument.
>> * This should be used in conjunction with #MHD_OPTION_HTTPS_MEM_KEY.
>> */
>> MHD_OPTION_HTTPS_KEY_PASSWORD = 26,
> $ diff src/microhttpd/internal.h.orig src/microhttpd/internal.h
> 1202a1203,1208
>> * Pointer to a string containing a password (in ASCII) that de-crypts
>> * our SSL/TLS key.
>> */
>> const char *https_key_password;
>>
>> /**
> $ diff src/microhttpd/daemon.c.orig src/microhttpd/daemon.c
> 547,549c547,560
> < return gnutls_certificate_set_x509_key_mem (daemon->x509_cred,
> < &cert, &key,
> < GNUTLS_X509_FMT_PEM);
> ---
>> int r;
>> if (NULL != daemon->https_key_password)
>> r = gnutls_certificate_set_x509_key_mem2(daemon->x509_cred, &cert,
>> &key, GNUTLS_X509_FMT_PEM,
>> daemon->https_key_password,0);
>> else
>> r = gnutls_certificate_set_x509_key_mem(daemon->x509_cred, &cert, &key,
>> GNUTLS_X509_FMT_PEM);
>> #if HAVE_MESSAGES
>> if (r != 0)
>> MHD_DLOG(daemon, "GnuTLS could not set up SSL certificate/key; " \
>> "GnuTLS code %d was returned\n", r);
>> #endif
>> return r;
> 2997a3009,3018
>> case MHD_OPTION_HTTPS_KEY_PASSWORD:
>> if (0 != (daemon->options & MHD_USE_SSL))
>> daemon->https_key_password = va_arg (ap, const char *);
>> #if HAVE_MESSAGES
>> else
>> MHD_DLOG (daemon,
>> "MHD HTTPS option %d passed to MHD but MHD_USE_SSL not
>> set\n",
>> opt);
>> #endif
>> break;
> 3178a3200
>> case MHD_OPTION_HTTPS_KEY_PASSWORD:
> 3228c3250,3252
> < (opt <= MHD_OPTION_HTTPS_PRIORITIES)) || (opt ==
> MHD_OPTION_HTTPS_MEM_TRUST))
> ---
>> (opt <= MHD_OPTION_HTTPS_PRIORITIES)) ||
>> (opt == MHD_OPTION_HTTPS_MEM_TRUST) ||
>> (opt == MHD_OPTION_HTTPS_KEY_PASSWORD))
>
>
> Andrew Basile
> Basile Enterprises <http://basileenterprises.com/>
>
signature.asc
Description: OpenPGP digital signature