Re: scripting creating a cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:

   $ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I needed:

chmod 640 for the private keys for Apache.  (and postfix and others use these certs; at least they are in their confs)
I strive to avoid the private disclosure race of first creating
a world-readable file, and then trying to do a quick chmod before
the bad guys get around to opening it.  That's why I recommend the
umask approach.

You can adjust the umask to suit your needs.  With OpenSSL 1.1.0,
if I recall correctly "keyout" files and the like are automatically
opened mode "0600". Rich Salz, who wrote the CLI option processing
code for 1.1.0 will correct me, if my memory if faulty.  There are
still a lot of users with 1.0.2 or earlier, and OpenSSL cannot
always figure out which files end up having private keys in them,
so the umask approach is a good precaution to keep using.

And Rich and I sit down and talk about things all the time at IETF. This time we will have some other items to discuss.

And since this will go into a world-readable (eventually) howto, this is good advice that I will work on incorporating.

Thanks

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux