'Re: [Proftpd-user] TLS Inside vs outside a FreeBSD jail'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       proftpd-users
Subject:    Re: [Proftpd-user] TLS Inside vs outside a FreeBSD jail
From:       TJ Saunders <tj () castaglia ! org>
Date:       2015-10-02 17:16:47
Message-ID: 1443806207.1736183.399785049.10519CAA () webmail ! messagingengine ! com
[Download RAW message or body]



> If I test ProFTPD in the parent of a FreeBSD jail it is able to load the 
> cert.
> 2015-10-02 09:27:37,953 hostname proftpd[66092] hostname: mod_tls/2.6: 
> passphrase locked into memory
> 2015-10-02 09:27:37,954 hostname proftpd[66092] hostname: set core 
> resource limits for daemon
> 
> When I try the same inside a jail (on the same host) the cert. cannot be 
> loaded.
> 2015-10-02 09:34:36,451 hostname proftpd[67883] hostname: mod_tls/2.6: 
> error locking passphrase into memory: Operation not permitted
> 
> Any ideas? Is this about shared memory?

Does proftpd refuse to start up in the jail, or does it just log the
above warning?  It *should* just log the warning, but startup
appropriately.

The "passphrase locked into memory" message happens because the mod_tls
module is attempting to ensure that the passphrase for the server
certificate is "locked" into memory, meaning that the page of memory
containing that passphrase should not be swapped out to disk by the OS. 
Failure to lock that page of memory shouldn't cause the server to fail
to start, however.  (Plus, it looks like I can improve this a little, by
ensuring that mod_tls only attempts to lock the passphrase into memory
when there is a passphrase.  Some sites use passphrase-less server
certificates, and mod_tls will still attempt to lock these "empty"
passphrases into memory when that is not needed.)

Hope this helps,
TJ

------------------------------------------------------------------------------
_______________________________________________
ProFTPD Users List   <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic