Forum: NGINX Old topic ssl private key with passphrase

7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-04-23 17:34
(Received via mailing list)
Dear nginx developers.

What is necessary that you take hands on the topic 'private key
passphrase'?

e.g.: http://trac.nginx.org/nginx/ticket/433

[ ] donation
[ ] time
[ ] leasure
[ ] other: ......

Maybe not as much options as in apache httpd

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html...

but at least one.

I found this entry in the ml from 2012, is this a possible solution for
nginx OSS core?

http://marc.info/?t=131494347400003&r=1&w=2

Maybe you can start again a nginx deployments survey as in 01.2013,
to see what a year later the new or old goals of the nginx community is.

http://mailman.nginx.org/pipermail/nginx/2013-Janu...

Best regards
Aleks
40b4c848b8fcd63b0cb60b9d170c3a77?d=identicon&s=25 Valentin V. Bartenev (Guest)
on 2014-04-23 18:06
(Received via mailing list)
On Wednesday 23 April 2014 17:34:10 Aleksandar Lazic wrote:
[..]
>
> Maybe you can start again a nginx deployments survey as in 01.2013,
> to see what a year later the new or old goals of the nginx community is.
>
> http://mailman.nginx.org/pipermail/nginx/2013-Janu...
>

There is one already started:
http://nginx.com/blog/think-nginx/

  wbr, Valentin V. Bartenev
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-04-23 18:19
(Received via mailing list)
Hello!

On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:

>
> Maybe not as much options as in apache httpd
>
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html...
>
> but at least one.

Igor explained his position on this more than once: unless you are
actually using something external to enter key passwords, there is no
difference with unencrypted keys from security point of view
(assuming proper access rights are used for keys).  And as far as
we know, no or almost no users of Apache's SSLPassPhraseDialog use
it this way, most just use "echo 'password'" or something like.

So the question is: why do you need it?

(I'm aware of at least one more or less valid answer which almost
convinced me that we should add it, but it's not about security,
but rather about social engineering.)

> I found this entry in the ml from 2012, is this a possible solution for
> nginx OSS core?
>
> http://marc.info/?t=131494347400003&r=1&w=2

No.

--
Maxim Dounin
http://nginx.org/
7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-04-23 20:26
(Received via mailing list)
Am 23-04-2014 18:06, schrieb Valentin V. Bartenev:
> There is one already started:
> http://nginx.com/blog/think-nginx/

Sorry how could I missed this ;-)

BR Aleks
7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-04-23 20:33
(Received via mailing list)
Hi.

Am 23-04-2014 18:19, schrieb Maxim Dounin:
> Hello!
>
> On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:
>
>> Dear nginx developers.
>>
>> What is necessary that you take hands on the topic 'private key
>> passphrase'?

[snipp]

> Igor explained his position on this more than once: unless you are
> actually using something external to enter key passwords, there is no
> difference with unencrypted keys from security point of view
> (assuming proper access rights are used for keys).  And as far as
> we know, no or almost no users of Apache's SSLPassPhraseDialog use
> it this way, most just use "echo 'password'" or something like.

Full ack ;-/

I also agree that this is a very hard task.

> So the question is: why do you need it?

If you want to get a specific certificate for some standars.

> (I'm aware of at least one more or less valid answer which almost
> convinced me that we should add it, but it's not about security,
> but rather about social engineering.)

Maybe some standards could be a valid reason.

https://en.wikipedia.org/wiki/PCI_DSS

https://www.pcisecuritystandards.org/pdfs/pci_ssc_...

e. g.

####
8.2
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public
keys).
####

BR
Aleks
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-04-23 23:05
(Received via mailing list)
Igor and Maxim positions, I suppose, are based on the fact that, unless
using an external system to authenticate the user of a certificate,
storing
both certificate + passphrase on thel same system, accessed by the same
user (the one running nginx which loads the certificate and needs to
decrypt it) has the same level of security that dealing with an
unencrypted
certificate and provide a false sense of securilty.

Isolation of independent parts of a security system is a very basic
notion
of security based on common sense. The standards you quote are based on
those.
---
*B. R.*
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-04-24 10:55
(Received via mailing list)
Hello!

On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar Lazic wrote:

> >>passphrase'?
> Full ack ;-/
>
> I also agree that this is a very hard task.
>
> >So the question is: why do you need it?
>
> If you want to get a specific certificate for some standars.

Well, that's not about security either, and completely
non-technical.

I've seen "certifications" requiring to use software with known
remote code execution vulnerabilities, and I'm quite sceptical
about doing something just because of certification requirements,
without understanding the reasons behind them (if any).

Anyway, if you know a standard which requires storing of
keys in password-protected forms only - please point it out.

> e. g.
>
> ####
> 8.2
> Employ at least one of these to authenticate all users: password or
> passphrase; or two-factor
> authentication (e.g., token devices, smart cards, biometrics, public keys).
> ####

This doesn't look related at all.  It's about authentication of
users, not about storage of private keys.

--
Maxim Dounin
http://nginx.org/
7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-04-24 13:03
(Received via mailing list)
Hi.

Am 24-04-2014 10:54, schrieb Maxim Dounin:
> Hello!
>
> On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar Lazic wrote:
>
>> Hi.
>>
>> Am 23-04-2014 18:19, schrieb Maxim Dounin:

[snipp]

> remote code execution vulnerabilities, and I'm quite sceptical
> about doing something just because of certification requirements,
> without understanding the reasons behind them (if any).
>
> Anyway, if you know a standard which requires storing of
> keys in password-protected forms only - please point it out.

Okay.

BR Aleks
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.