Posted by webkenny on August 17, 2012 at 1:15am
3 followers
| Project: | Push Notifications |
| Version: | 7.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | webkenny |
| Status: | closed (fixed) |
Issue Summary
For maximum security, pem files can contain a passphrase. One simple line of code would allow this in the module in theory.
// Create a stream context.
$stream_context = stream_context_create();
// Set options on the stream context.
stream_context_set_option($stream_context, 'ssl', 'local_cert', $apns_cert);
+ stream_context_set_option($stream_context, 'ssl', 'passphrase', $passphrase);The thinking here is we should probably either provide a form for an administrator or, possibly more secure, allow them to store it on the file system perhaps outside of docroot so the Drupal site can read the file.
Thoughts?
Comments
#1
Hey there. Thanks for opening this issue. I believe the issue here http://drupal.org/node/1728226 (Warning: stream_socket_client...) may have resulted in the same error message, but was probably caused by a server setting.
However, I know that all the tutorials for creating certificate files always included instructions to set a passphrase and then remove it at the end of the process. That's definitely the reason why I never ran into this issue. Thanks for educating me that you can set a passphrase with a single line.
In terms of storing the passphrase somewhere, I was going to ask you if there is a strong reason to not just store it in a Drupal variable. I'm concerned that asking people to store it outside of the docroot would make that a very hard task for a lot users.
#2
No reason at all. I'm just being stupidly paranoid. Without the certificate the passphrase is useless and if someone has access to your file system, you have bigger problems to worry about. :) I can take this on. I'll code a patch for it to put an option in the admin screen.
#3
And without further ado, the patch against 7.x-1x - (I love working on this module, if you hadn't noticed. Ha!)
EDIT: I love it so much I muffed the last patch. :) New one coming.
#4
Ok, this one is against 7.x-1.x (the other was against master by accident) - Should be all set. Seems to work fine with and without a passphrase but it would be useful to test against a key which doesn't require one. I don't have access to that.
#5
Hey Kenny. You Rock!
Quick question, just to be sure: You need this patch to be tested with a key that has no passphrase, correct? Just want to make sure, since I'm only using certificates without a passphrase.
#6
Correct, that would be ideal. I've tested it without the passphrase in a passphrase environment and it fails as expected. Just wanted to also check in one that is the norm.
#7
Got it. I just testsed it with a certificate that doesn't require a passphrase. With that certificate, it worked both ways, i.e. it didn't matter if a passphrase was used for a certificate that doesn't require a passphrase. I think that qualifies as "working", so that should be committed. I also finally figured out how to do the attribution correctly, check it out: http://drupalcode.org/project/push_notifications.git/commit/e5c6f1b08285...
#8
Awesome! On to our next improvement! :) (BTW, I think I figured out why I thought the pushes weren't being sent. Going to verify and I'll file another issue if needed)
#9
Automatically closed -- issue fixed for 2 weeks with no activity.
#10
#11
Automatically closed -- issue fixed for 2 weeks with no activity.