Using passphrase protected ssl key files?
185 views
Skip to first unread message
Shawn
Dec 16, 2008, 5:12:42 PM12/16/08
to cherrypy-users
Greetings,
It's great the CherryPy has native support for SSL now. However, it
would appear that it doesn't support encrypted private server keys
like Apache does.
Apache lets you be prompted on the command-line for the passphrase, or
alternatively exec an external program to provide the passphrase on
startup. [1]
Is there some way to specify the passphrase for the private key that
I've missed?
-Shawn
[1] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
It's great the CherryPy has native support for SSL now. However, it
would appear that it doesn't support encrypted private server keys
like Apache does.
Apache lets you be prompted on the command-line for the passphrase, or
alternatively exec an external program to provide the passphrase on
startup. [1]
Is there some way to specify the passphrase for the private key that
I've missed?
-Shawn
[1] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog
Shawn
Dec 16, 2008, 5:15:46 PM12/16/08
to cherrypy-users
On Dec 16, 4:12 pm, Shawn <binarycrusa...@gmail.com> wrote:
> Greetings,
>
> It's great the CherryPy has native support for SSL now. However, it
> would appear that it doesn't support encrypted private server keys
> like Apache does.
>
> Apache lets you be prompted on the command-line for the passphrase, or
> alternatively exec an external program to provide the passphrase on
> startup. [1]
>
> Is there some way to specify the passphrase for the private key that
> I've missed?
...and to be clear, I'm aware I will get prompted on the console. I'm
> Greetings,
>
> It's great the CherryPy has native support for SSL now. However, it
> would appear that it doesn't support encrypted private server keys
> like Apache does.
>
> Apache lets you be prompted on the command-line for the passphrase, or
> alternatively exec an external program to provide the passphrase on
> startup. [1]
>
> Is there some way to specify the passphrase for the private key that
> I've missed?
just looking for someway to provide either via the cherrypy
configuration info, through an api, via a hook, or some other way I've
missed that's not interactive.
-Shawn
Keith Morrow
Dec 16, 2008, 7:02:50 PM12/16/08
to cherryp...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
well, I'm sure this wouldn't be the "traditional" way of doing this,
but you could always put your passphrase in a file with a newline,
then run your server as "python server.py < passphrase.txt"
when it shows up on the console, that should enter it in for you. It
would be nice to find a better fix, but in the mean time, that should
work for you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: http://getfiregpg.org
iEYEARECAAYFAklIQZ8ACgkQNpURrlnNAGD0TgCgt3Xy42M1aZ9f9xHjocAUALp9
jCIAoMyMzYEMYIloBQAwPwc0jjn4Z2CC
=x90T
-----END PGP SIGNATURE-----
Hash: SHA1
well, I'm sure this wouldn't be the "traditional" way of doing this,
but you could always put your passphrase in a file with a newline,
then run your server as "python server.py < passphrase.txt"
when it shows up on the console, that should enter it in for you. It
would be nice to find a better fix, but in the mean time, that should
work for you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: http://getfiregpg.org
iEYEARECAAYFAklIQZ8ACgkQNpURrlnNAGD0TgCgt3Xy42M1aZ9f9xHjocAUALp9
jCIAoMyMzYEMYIloBQAwPwc0jjn4Z2CC
=x90T
-----END PGP SIGNATURE-----
Shawn
Dec 16, 2008, 7:35:26 PM12/16/08
to cherrypy-users
On Dec 16, 6:02 pm, "Keith Morrow" <nonti...@gmail.com> wrote:
> well, I'm sure this wouldn't be the "traditional" way of doing this,
> but you could always put your passphrase in a file with a newline,
> then run your server as "python server.py < passphrase.txt"
> when it shows up on the console, that should enter it in for you. It
> would be nice to find a better fix, but in the mean time, that should
> work for you.
It doesn't. That was one of the first things I tried.
> well, I'm sure this wouldn't be the "traditional" way of doing this,
> but you could always put your passphrase in a file with a newline,
> then run your server as "python server.py < passphrase.txt"
> when it shows up on the console, that should enter it in for you. It
> would be nice to find a better fix, but in the mean time, that should
> work for you.
At the moment I'm looking at decrypting the file myself using an
unnamed temporary object and then passing the path to the
corresponding file descriptor to cherrypy.
-Shawn
Shawn
Dec 16, 2008, 11:02:56 PM12/16/08
to cherrypy-users
On Dec 16, 4:12 pm, Shawn <binarycrusa...@gmail.com> wrote:
> Is there some way to specify the passphrase for the private key that
> I've missed?
After a discussion with fumanchu, it seemed the best option was for me
> I've missed?
to decrypt the server key myself if the user didn't want to
interactively enter the password, and then point cherrypy at the
decrypted key file. This snippet should be helpful to those wanting
to do the same thing (only works on *NIX-like platforms, only tested
on OpenSolaris):
def get_ssl_passphrase(*ignored):
p = retcode = None
try:
cmdline = "%s %s %d" % (ssl_dialog,
"''", port)
p = subprocess.Popen(cmdline,
shell=True,
stdout=subprocess.PIPE,
stderr=None)
retcode = p.wait()
except Exception, e:
print "pkg.depotd: an error occurred
while " \
"executing [%s]; unable to obtain
the " \
"passphrase needed to decrypt the
SSL" \
"private key file:
%s" (ssl_dialog, e)
sys.exit(1)
return p.stdout.read().strip("\n")
# The key file requires decryption, but the user has
requested
# exec-based authentication, so it will have to be
decoded first
# to an un-named temporary file.
try:
key_file = file(ssl_key_file, "rb")
pkey = crypto.load_privatekey
(crypto.FILETYPE_PEM,
key_file.read(), get_ssl_passphrase)
key_data = tempfile.TemporaryFile()
key_data.write(crypto.dump_privatekey(
crypto.FILETYPE_PEM, pkey))
key_data.seek(0)
except EnvironmentError, e:
print "pkg.depotd: unable to read the SSL
private " \
"key file: %s" % e
sys.exit(1)
except crypto.Error, e:
print "pkg.depotd: authentication or
cryptography " \
"failure while attempting to decode\nthe
SSL " \
"private key file: %s" % e
sys.exit(1)
else:
# Redirect the server to the decrypted key
file.
ssl_key_file = "/dev/fd/%d" % key_data.fileno
()
Thanks,
-Shawn
Reply all
Reply to author
Forward
0 new messages