Re: [libmicrohttpd] SSL key passwords

libmicrohttpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] SSL key passwords

From:	Christian Grothoff
Subject:	Re: [libmicrohttpd] SSL key passwords
Date:	Thu, 12 Feb 2015 17:49:07 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.4.0

I'm not sure, that might create compilation errors even if the feature
is not used at all.  Essentially, if we do that, we propagate the
versioning issue, forcing MHD users to check GNUTLS-versions (layering
violation).  So that's somewhat ugly.  And developers that want to check
statically if the feature is supported naturally still _can_ do this.
Just forcing them to do it seems wrong.

So I think in this case, Andrew's patch is OK.  But it is clearly a bit
of a matter of taste.

On 02/12/2015 05:43 PM, Evgeny Grin wrote:
> Isn't it better to disable code for HTTPS_KEY_PASSWORD if GnuTLS < 3.0?
> And add MHD_FEATURE_HTTPS_KEY_PASSWORD?
> -- 
> Best Wishes,
> Evgeny Grin
> 12.02.2015, 19:37, "Andrew Basile" <address@hidden>:
>> Thank you, Christian Grothoff, for incorporating 
>> MHD_OPTION_HTTPS_KEY_PASSWORD 
>> into the library!
>> I attempted to build the changes on an older platform (CentOS 6.6) and came 
>> to 
>> realize that gnutls_certificate_set_x509_key_mem2(), the GnuTLS function 
>> needed if specifying a password, is not available in earlier versions of the 
>> GnuTLS library. So I added another preprocessor check, around that function 
>> call, to verify that the GnuTLS version is 3 or above. If a password was 
>> provided to MHD and the GnuTLS version is too old, then an error is 
>> returned. 
>> Attached are some simple code diffs, relative to the current SVN baseline, 
>> for 
>> your consideration.
>> ,
>> Regards,
>>
>> Andrew Basile
>> Basile Enterprises <http://basileenterprises.com/>
>>> On Feb 6, 2015, at 9:14 PM, Andrew Basile <address@hidden 
>>> <mailto:address@hidden>> wrote:
>>>
>>> In one of my projects, we are using MHD and need to support SSL encrypted 
>>> private keys, with passwords. I ended up modifying the MHD code to support 
>>> propagating, in addition to an SSL certificate and key, an SSL key password 
>>> through to GnuTLS. With some relatively simple changes in place, the option 
>>> MHD_OPTION_HTTPS_KEY_PASSWORD can be used when calling MHD_start_daemon() 
>>> to 
>>> specify a const char * password string. Also, another debug message is 
>>> added 
>>> in order to report the code returned by GnuTLS in the event the SSL 
>>> certificate/key cannot be processed.
>

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[libmicrohttpd] SSL key passwords, Andrew Basile, 2015/02/07
- Re: [libmicrohttpd] SSL key passwords, Christian Grothoff, 2015/02/07
- Re: [libmicrohttpd] SSL key passwords, Andrew Basile, 2015/02/12
  - Re: [libmicrohttpd] SSL key passwords, Evgeny Grin, 2015/02/12
    - Re: [libmicrohttpd] SSL key passwords, Christian Grothoff <=
  - Re: [libmicrohttpd] SSL key passwords, Christian Grothoff, 2015/02/12

Prev by Date: Re: [libmicrohttpd] SSL key passwords
Next by Date: [libmicrohttpd] Problems with libmicrohttpd.a on a gnu_linux-armeabihf platform
Previous by thread: Re: [libmicrohttpd] SSL key passwords
Next by thread: Re: [libmicrohttpd] SSL key passwords
Index(es):
- Date
- Thread