Openssl can't read SMIME_PASS environment variable

I have problems making S/MIME work with RT 4.2.7

My environment consists of Debian testing, RT 4.2.7, Apache 2.4.10,
mod_perl 2.0.9

In /lib/RT/Crypt/SMIME.pm, when trying to send a signed message, RT
reads the passphrase from the config file correctly (tested), and sets
it in $ENV{‘SMIME_PASS’}.

However, when calling openssl with safe_run_child(run3()), the openssl
process cannot find the environment variable:

[13565] [Thu Oct 30 09:05:26 2014] [debug]: openssl command:
/usr/bin/openssl smime -sign -signer .pem -inkey .pem -passin
env:SMIME_PASS|/usr/bin/openssl smime -encrypt -des3 /tmp/NVTeGADmSO
(/usr/local/share/request-tracker4/lib/RT/Crypt/SMIME.pm:383)
[13565] [Thu Oct 30 09:05:26 2014] [debug]: openssl stderr: Can’t read
environment variable SMIME_PASS Error getting password unable to write
’random state’ (/usr/local/share/request-tracker4/lib/RT/Crypt/SMIME.pm:384)

I think the underlying reason is that mod_perl by default don’t pass
%ENV to child processes unless they are specifically stated in the
site configuration:

Anyone knows if this works with FastCGI or other web server different
from Apache?
What would be a (secure) alternative for passing the passphrase to
openssl? STDIN? another file descriptor?

Thank you in advance.

Marcos.

I have problems making S/MIME work with RT 4.2.7

My environment consists of Debian testing, RT 4.2.7, Apache 2.4.10,
mod_perl 2.0.9

That’s fascinating, as the latest release is mod_perl 2.0.8:

http://perl.apache.org/download/index.html
http://apache.org/dist/perl/

…and I’m unaware of any release which works against Apache 2.4.x.

I think the underlying reason is that mod_perl by default don’t pass
%ENV to child processes unless they are specifically stated in the
site configuration:

Probably.

Anyone knows if this works with FastCGI or other web server different
from Apache?

Works fine with FastCGI. In addition to filehandle, environment, and
occasional segfualt problems due to library linking, the lack of Apache
2.4 support is closing on the final nail in the coffin for mod_perl
support. It should not be anyone’s fist choice of deployment option.

What would be a (secure) alternative for passing the passphrase to
openssl? STDIN? another file descriptor?

I’d choose “Use something less broken than mod_perl”.

  • Alex

Hi Alex,

That’s fascinating, as the latest release is mod_perl 2.0.8:

http://perl.apache.org/download/index.html
http://apache.org/dist/perl/

…and I’m unaware of any release which works against Apache 2.4.x.

It seems it’s not an official release yet, but the package is
available from the official Debian Jessie repos:
https://packages.debian.org/jessie/libapache2-mod-perl2

Anyone knows if this works with FastCGI or other web server different
from Apache?

Works fine with FastCGI. In addition to filehandle, environment, and
occasional segfualt problems due to library linking, the lack of Apache
2.4 support is closing on the final nail in the coffin for mod_perl
support. It should not be anyone’s fist choice of deployment option.

Noted. It may be good to add some mention to it in the documentation,
to prevent people that starts deploying RT to use it.

What would be a (secure) alternative for passing the passphrase to
openssl? STDIN? another file descriptor?

I’d choose “Use something less broken than mod_perl”.

Thank you, I will try.

Kind regards,
Marcos.