Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon4.gif   Incomplete SSL proxy instructions, insecure result., posted by Konstantin Olchanski on Fri Mar 22 19:41:31 2013 
    icon2.gif   Re: Incomplete SSL proxy instructions, insecure result., posted by Stefan Ritt on Wed Apr 3 17:11:06 2013 
Message ID: 67469     Entry time: Fri Mar 22 19:41:31 2013     Reply to this: 67472
Icon: Warning  Author: Konstantin Olchanski  Author Email: olchansk@triumf.ca 
Category: Bug report  OS: Linux  ELOG Version: 2.9.2 
Subject: Incomplete SSL proxy instructions, insecure result.  
The instructions for securing elogd using an SSL proxy are incomplete.
http://midas.psi.ch/elog/adminguide.html#secure
http://midas.psi.ch/elogs/contributions/11

If you follow these instructions, elogd will still listen for and accept non-SSL connections on it's own TCP port bypassing the SSL proxy.

(True, the elogd TCP port number is somewhat secret, so there is some security-by-obscurity here).

To secure the elogd TCP port against connections that bypass the SSL proxy, elogd has to be started
with the "-n localhost" command line options.

To add this option, one has to edit /etc/init.d/elogd. I do not know if this change will be lost when the elog rpm package is updated.

It would be better if this option could have been specified through elogd.conf.

The "-n" command line option is not documented here
http://midas.psi.ch/elog/adminguide.html#config
but is visible if you run "elogd -h".

P.S. Even with "-n localhost", users of the local machine can bypass the SSL proxy.

K.O.
ELOG V3.1.5-fe60aaf