Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   More adventures with SSL, posted by Chuck Brost on Thu Jul 22 16:59:00 2010 
    icon2.gif   Re: More adventures with SSL, posted by Stefan Ritt on Wed Jul 28 16:38:07 2010 
Message ID: 66862     Entry time: Wed Jul 28 16:38:07 2010     In reply to: 66857
Icon: Reply  Author: Stefan Ritt  Author Email: 
Category: Bug report  OS: Windows  ELOG Version: 2.7.8 
Subject: Re: More adventures with SSL 

Chuck Brost wrote:


Everything has been working great since we last spoke (Version 2.7.8), until InfoSec decided to change how the Certs were created.  Now they come with a little bit of code in the .key file before the Hash.. when I put the new .CRT and .KEY in the SSL folder I am asked on starting Elogd to provide a "PEM PassPhrase".  As you can expect, if you do not enter one, or the incorrect one, it does not just turn off SSL, it exits the program.  The key begins like this in the new versions:

Proc-Type: 4,ENCRYPTED

(that little encode piece on the end is not the actual one in the key.  I am assuming it is a passphrase key so it will know what the right passphrase is that should be entered.

We are assuming that this is the "Install password" they have set up to use to install the certs on all of the IIS servers we have.  If that is indeed the case.. Does elog save this passphrase somewhere?  does Elog save it in the registry? does it save it encrypted? Or with access security permissions set on the keys?  I have a feeling that the answer to most of this is probably "no", but to know where we go from here, that is the place to start.



The pass phrase should not be stored anywhere for security reasons. Actually ELOG cannot stored it encrypted, because strong encryption is a one-way encryption which cannot be reverted, so ELOG would have to store it in plain text, which is not good. Actually all SSL web servers have this problem. See for example:

In Step 3 they tell you how to remove the pass phrase for Apache. The same holds true for ELOG.

ELOG V3.1.5-3fb85fa6