Article delegate-en/449 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A444@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Delegate and SSL : encrypted certificates
19 May 1999 04:04:11 GMT ysato@etl.go.jp (Yutaka Sato)


On 05/11/99(23:43) you pxqaqbdyi-6cvkcthymrnr.ml@ml.delegate.org (Nicolas Ruffel) wrote
in <_A444@delegate-en.ML_>
 |I'm trying to use delegate as a proxy between an HTTP client and an HTTPS
 |server. We use Netscape certificates translated to PEM files, but encrypted with
 |a password. We tried to use the sslway filter to give the certificate password
 |to delegate. We used the function SSL_CTX_set_default_passwd_cb() to give the
 |right callback function to call, but it seems that we used a bad prototype for
 |the callback function. And I can't find the right prototype in the
 |documentation.
 |So, did anyone used SSL_CTX_set_default_passwd_cb() to specify a callback giving
 |a certificate password and what is the right prototype for this callback?
 |Is this the right way to use encrypted certificates?
 |Are there any available examples?

SSLeay-0.9.0b/doc/callback.doc says:
>The PEM library.
>
>The pem library only really uses one type of callback,
>static int def_callback(char *buf, int num, int verify);
>which is used to return a password string if required.
>'buf' is the buffer to put the string in.  'num' is the size of 'buf'
>and 'verify' is used to indicate that the password should be checked.
>This last flag is mostly used when reading a password for encryption.
>
>For all of these functions, a NULL callback will call the above mentioned  
>default callback.  This default function does not work under Windows 3.1.
>For other machines, it will use an application defined prompt string
>(EVP_set_pw_prompt(), which defines a library wide prompt string)
>if defined, otherwise it will use it's own PEM password prompt.
>It will then call EVP_read_pw_string() to get a password from the console.
>If your application wishes to use nice fancy windows to retrieve passwords,
>replace this function.  The callback should return the number of bytes read
>into 'buf'.  If the number of bytes <= 0, it is considered an error.

Following this document, I made a tentative coding of a callback
function for password like enclosed.
I think what is difficult is how to pass a password string from a
human user to DeleGate, then from DeleGate to sslway.  It must be
designed carefully in future, but I did it in a very simple and
non-secure way in this patch, that is, you can pass a necessary
password by an environment variable ``SSL_KEY_PASSWD''.

Cheers,
Yutaka
--
Yutaka Sato <ysato@etl.go.jp> http://www.etl.go.jp/~ysato/   @ @ 
Computer Science Division, Electrotechnical Laboratory      ( - )
1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan            _<   >_


*** ../../delegate5.9.1/filters/sslway.c	Fri Dec 18 16:05:31 1998
--- sslway.c	Wed May 19 12:48:49 1999
***************
*** 273,284 ****
--- 273,311 ----
  static int   do_showCERT = 0;
  static char *sv_key  = "server-key.pem";
  static char *sv_cert = "server-cert.pem";
+ static char *sv_pass = 0;
  static char *cl_key  = "client-key.pem";
  static char *cl_cert = "client-cert.pem";
+ static char *cl_pass = 0;
  static char *cipher_list = NULL;
  static int   cl_auth = 0;
  static int   cl_vrfy = SSL_VERIFY_PEER;
  
+ static _passwd(what,pass,buf,siz,vrfy)
+ 	char *what,*pass;
+ 	char *buf;
+ {
+ 	if( pass ){
+ 		ERROR("%s_passwd(%x,%d,%d)",what,buf,siz,vrfy);
+ 		strcpy(buf,pass);
+ 		return strlen(pass);
+ 	}else{
+ 		ERROR("%s_passwd(%x,%d,%d) -- SSL_%S_KEY_PASSWD undefined",
+ 			what,buf,siz,vrfy,what);
+ 		return -1;
+ 	}
+ }
+ static sv_passwd(buf,siz,vrfy)
+ 	char *buf;
+ {
+ 	return _passwd("SERVER",sv_pass,buf,siz,vrfy);
+ }
+ static cl_passwd(buf,siz,vrfy)
+ 	char *buf;
+ {
+ 	return _passwd("CLIENT",cl_pass,buf,siz,vrfy);
+ }
+ 
  main(ac,av)
  	char *av[];
  {	int ai;
***************
*** 300,305 ****
--- 327,338 ----
  			do_conSSL = 1;
  		}
  	}
+ 	if( env = getenv("SSL_KEY_PASSWD") )
+ 		sv_pass = cl_pass = env;
+ 	if( env = getenv("SSL_CLIENT_KEY_PASSWD") )
+ 		cl_pass = env;
+ 	if( env = getenv("SSL_SERVER_KEY_PASSWD") )
+ 		sv_pass = env;
  
  	PID = getpid();
  	if( (client_host = getenv("REMOTE_HOST")) == 0 )
***************
*** 375,380 ****
--- 408,414 ----
  
  	if( do_conSSL ){
  		ctx = ssl_new();
+ 		SSL_CTX_set_default_passwd_cb(ctx,cl_passwd);
  		if( cipher_list )
  			SSL_CTX_set_cipher_list(ctx,cipher_list);
  		if( 0 <= open(cl_key ,0) && 0 <= open(cl_cert,0) )
***************
*** 386,391 ****
--- 420,426 ----
  
  	if( do_accSSL ){
  		ctx = ssl_new();
+ 		SSL_CTX_set_default_passwd_cb(ctx,sv_passwd);
  		if( cipher_list )
  			SSL_CTX_set_cipher_list(ctx,cipher_list);
  		if( ssl_keycert(ctx,sv_key,sv_cert) < 0 )

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V