[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8485) [PATCH] Adding support for encrypted server private keys

ahnolds@gmail.com wrote:
> Full_Name: Alec Cooper
> Version: HEAD of master branch
> OS: Ubuntu Linux 16.04
> URL: ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch
> Submission from: (NULL) (
> Adding support for encrypted server private keys.

Thank you for your submission. I must compliment you on providing such a 
comprehensive and well-written contribution. Unfortunately the feature itself 
is clearly not useful. Perhaps you should have raised this topic on the 
openldap-devel list for discussion before spending your time writing it.

All your feature does is embed the encryption key in the filesystem, so an 
encrypted private key is still no more secure than an unencrypted one. It 
still just depends on setting proper file access permissions, and the current 
documentation already makes that point.

Indeed, all it does is give the false illusion of enhancing security, and 
followups like balmerpeak92@gmail.com's shows that people will easily fall for 
such illusions.

I regret having to reject such a well written contribution, but we cannot in 
good conscience accept a security feature that doesn't actually improve security.
> The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and tls_o.c to
> send a password to the underlying TLS library.
> Changes to ldap.h, init.c and ldap-int.h expose the new
> Changes in the contrib/ldapc++ directory expose the corresponding
> TlsOptions::KEYPASSWORD option in the C++ API.
> Changes in the servers directory expose equivalent options for servers as
> configuration file entries or environment variables.
> Changes in the doc directory add documentation about the new options and remove
> statements that indicated that encrypted keyfiles are not supported.
> New files in the test directory are for testing TLS connections, both in general
> and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM
> formatted certs and keys, and for MozNSS using cert/key databases. The new unit
> test (test065-tls) has been written to detect when using NSS, and use the
> cert/key databases in this case. I have been unable to get a working version of
> libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles -
> testing for this case would be welcome!
> Notice of origin: The attached patch file is derived from OpenLDAP Software. All
> of the modifications to OpenLDAP Software represented in the following patch
> were developed by Alec Cooper ahnolds@gmail.com. I have not assigned rights
> and/or interest in this work to any party.
> Rights statement: I, Alec Cooper, hereby place the following modifications to
> OpenLDAP Software (and only these modifications) into the public domain. Hence,
> these modifications may be freely used and/or redistributed for any purpose with
> or without attribution and/or other notice.
> The patch has been uploaded to the OpenLDAP FTP server and can be found at
> ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/