develooper Front page | perl.libwww | Postings from August 2003

Re: HTTPS requests and PKCS12 keybags

Thread Previous
From:
Josh Chamas
Date:
August 25, 2003 13:32
Subject:
Re: HTTPS requests and PKCS12 keybags
Message ID:
3F4A71FD.4060307@chamas.com
Svein E. Seldal wrote:
> Hello,
> 
> I'm using your Crypt::SSLeay, and I'm very happy this works. Thank you 
> very much for this!!
> 
> We have this intraweb-server that requires the clients to be 
> authenticated with the means of client certificates. These client 
> certificates are distributed to the users in PKCS12 keybags. Each bag 
> contains the user's private key, the user's cert, the web-server cert 
> and the CA's cert.
> 
> 1) Is the PEM pass phrase password dialogue (when $ENV{HTTPS_KEY_FILE} 
> is used) safe? Is it stored in any enviromentvariable which make it unsafe?
> 
> I have been testing Crypt::SSLeay with PKCS12 files mentioned abover, 
> but it doesnt seem to work unless you specify the 
> $ENV{HTTPS_PKCS12_PASSWORD}. No password input dialogue is show. Nor do 
> I want to create my own password input routine, and store it in this 
> environment variable because of the security issues involved.
> 

Sorry, since this message did not have Crypt::SSLeay in the subject,
I missed it earlier, but just saw it now in the archives.

With regards to the security issue of setting something in %ENV,
you might try

   local $ENV{HTTPS_PKCS12_PASSWORD} = ...

It may be that this will not actually set this in such a way as there
may be a security risk, I am not sure.

There is a limit in the message passing interface down to Net::SSL
of Crypt::SSLeay, mostly because we have never had a nice API to pass
arguments down through LWP to the Net::SSL object that gets created.
So we pass all the configuration through %ENV unfortunately.

Regards,

Josh
________________________________________________________________
Josh Chamas, Founder                   phone:925-552-0128
Chamas Enterprises Inc.                http://www.chamas.com
NodeWorks Link Checker                 http://www.nodeworks.com


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About