Re: Create request without enter details

Wed, 09 Jul 2003 20:28:52 -0700 

At 04:29 PM 7/9/2003 +0200, gianni writeth:
>Thomas J. Hruska wrote:
>>You can also hack OpenSSL to accept input from stdin instead of whatever it
>>defaults to on your platform...I did that a long time ago for Win32 and I
>>remember it wasn't what I would call "fun", so I recommend avoiding that
>>particular route (although, it does offer some additional security since it
>>doesn't use the hard drive - unless you are low on RAM).  Note, however,
>>this approach doesn't protect the system from a hook into pipe()...but
>>that's a whole other security issue - that is, if your users can modify the
>>system's Run-Time Libraries, you've got more problems than just someone
>>hooking into pipe() to get OpenSSL configuration information.
>
>
>Using the config file is the only way to generate a request without
prompting. The information to protect
>is the password used to encrypt the generated private key (or to acces a
given private key). If you don't want
>use the -passin (-passout) option and a pipe (quite hard from a web
application I guess) a solution (for Win32)
>could be a utility like sdelete
http://www.sysinternals.com/ntw2k/utilities.shtml.


Your first sentence is not true.  Hacking OpenSSL itself to accept stdin by
default is another way to do it and will accept all information and as well
as a plain-text password on stdin (I have done this).  Although, a separate
executable is a good idea to handle the processing (if you can modify the
executable's environment from your scripting language - Nuclear Vision
v1.2's NVEXEC tag will allow for this), otherwise you get to revert to the
flat-file approach that's been discussed.  If using PHP, you will probably
have to use some of the more "experimental" APIs to get the 'stdin'
approach to work.

Hope this helps!


          Thomas J. Hruska -- [EMAIL PROTECTED]
Shining Light Productions -- "Meeting the needs of fellow programmers"
                  http://www.shininglightpro.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to