On 03/30/2017 09:04 AM, Sean Leonard wrote:
> IN PARTICULAR: both Apache and Ngnix may be subject to a private key
> substitution attack with naive passing of the ACME response to the web
> server! See:
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
> http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile
>
> The SSL Certificate option includes the option of including the
> private key in the same input: “A secret key in the PEM format may be
> placed in the same file.”
I tried to reproduce this, and I believe you are incorrect that a
private key substitution attack works.
For both Nginx and Apache, I created a file containing a PEM-encoded
certificate, and appended a PEM-encoded RSA private key corresponding to
the public key in the certificate. I then placed a different PEM-encoded
RSA private key in cert-key.pem. I configured the certificate with
ssl_certificate or SSLCertificateFile, respectively, and the key with
ssl_certificate_key or SSLCertificateKeyFile, respectively. For Apache,
I got:
[Wed Apr 26 21:45:50.094519 2017] [ssl:emerg] [pid 10967] AH02565:
Certificate and private key ocsp.test.wtf:8443:0 from
/home/jsha/ocsp-stapling-examples/cert.pem and
/home/jsha/ocsp-stapling-examples/cert-key.pem do not match
AH00016: Configuration Failed
For Nginx, I got:
2017/04/26 21:51:48 [emerg] 11164#11164:
SSL_CTX_use_PrivateKey_file("./cert-key.pem") failed (SSL:
error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch)
In neither case did the server successfully start up. Absent the private
key substitution attack, I don't see a strong argument against offering
certificates and chains in the very common PEM format by default.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
