Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon4.gif   More adventures with SSL, posted by Chuck Brost on Thu Jul 22 16:59:00 2010 
    icon2.gif   Re: More adventures with SSL, posted by Stefan Ritt on Wed Jul 28 16:38:07 2010 
Message ID: 66857     Entry time: Thu Jul 22 16:59:00 2010     Reply to this: 66862
Icon: Warning  Author: Chuck Brost  Author Email: Brost_chuck@solarturbines.com 
Category: Bug report  OS: Windows  ELOG Version: 2.7.8 
Subject: More adventures with SSL 

Stefan,

Everything has been working great since we last spoke (Version 2.7.8), until InfoSec decided to change how the Certs were created.  Now they come with a little bit of code in the .key file before the Hash.. when I put the new .CRT and .KEY in the SSL folder I am asked on starting Elogd to provide a "PEM PassPhrase".  As you can expect, if you do not enter one, or the incorrect one, it does not just turn off SSL, it exits the program.  The key begins like this in the new versions:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ACF4A8B263EAA51D

(that little encode piece on the end is not the actual one in the key.  I am assuming it is a passphrase key so it will know what the right passphrase is that should be entered.

We are assuming that this is the "Install password" they have set up to use to install the certs on all of the IIS servers we have.  If that is indeed the case.. Does elog save this passphrase somewhere?  does Elog save it in the registry? does it save it encrypted? Or with access security permissions set on the keys?  I have a feeling that the answer to most of this is probably "no", but to know where we go from here, that is the place to start.

Thanks

Chuck

ELOG V3.1.5-fe60aaf