66016 – The passphrase for TLS private key password encryption is stored in plaintext

Bug 66016 - The passphrase for TLS private key password encryption is stored in plaintext

Summary: The passphrase for TLS private key password encryption is stored in plaintext

Status:	RESOLVED INVALID

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.5-HEAD
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-19 10:30 UTC by SkyFly222
Modified:	2022-05-06 01:54 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SkyFly222 2022-04-19 10:30:49 UTC

The passphrase for TLS private key password encryption is stored in plaintext, there is still risk of information leak, this does not comply with security regulations of commercial scenarios. Maybe HTTPD should implement some more secure way to store sensitive configurations.

https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
        SSLCertificateFile /etc/server.crt
        SSLCertificateKeyFile /etc/server.key
        SSLVerifyDepth 10
        SSLOptions +StdEnvVars
    </IfModule>

Comment 1 Joe Orton 2022-04-26 14:59:50 UTC

I'm not sure what "password encryption is stored in plaintext" means.

With mod_ssl you can do any of:

a) use a plaintext-on-disk key file
b) use an encrypted-on-disk key file which is unencrypted in memory using a passphrase supplied at startup
c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)

Comment 2 SkyFly222 2022-05-06 01:54:45 UTC

(In reply to Joe Orton from comment #1)
> I'm not sure what "password encryption is stored in plaintext" means.
> 
> With mod_ssl you can do any of:
> 
> a) use a plaintext-on-disk key file
> b) use an encrypted-on-disk key file which is unencrypted in memory using a
> passphrase supplied at startup
> c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)

https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
        SSLCertificateFile /etc/server.crt
        SSLCertificateKeyFile /etc/server.key
        SSLVerifyDepth 10
        SSLOptions +StdEnvVars
    </IfModule>

When apache starts, /etc/server.key is plaintext(In reply to Joe Orton from comment #1)
> I'm not sure what "password encryption is stored in plaintext" means.
> 
> With mod_ssl you can do any of:
> 
> a) use a plaintext-on-disk key file
> b) use an encrypted-on-disk key file which is unencrypted in memory using a
> passphrase supplied at startup
> c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)