Can't get SSL/TLS sessions working about shellinabox HOT 7 CLOSED

The directory /tmp/certificates exists and it has write permission for the 
shellinabox group.

The Debian package already starts the daemon for you and if it can find the 
"openssl"
binary, it stores self-signed certificates in "/var/lib/shellinabox".

If you don't want the daemon to be started automatically, you will need to 
disable it
in "/etc/default/shellinabox". But then you need to figure out how to correctly 
set
it up yourselves, so I don't recommend that approach for most users.

If you then decide to start it manually, you have to make sure that the 
certificate
directory has the right permissions. By default, shellinabox will drop 
privileges to
become "nobody". So, if the directory isn't accessible by "nobody", shellinabox 
won't
be able to serve encrypted connections. And that's most likely the problem you 
are
seeing.

Of course, changing the directory to be owned by "nobody" would be a bad idea.
Anybody who can become "nobody", would then be able to read your private keys.

Instead, you should create a dedicated user for the shellinabox daemon. And 
that's
what the Debian package does for you. You will notice that after installing the
package you have a "shellinabox" user. And that "/var/lib/shellinabox" is owned 
by
"shellinabox".

You then also need to make sure you that you pass the right command line flags 
to
switch to this user.

In other words, if you use the default settings that the package configures 
after a
"dpkg -i", and if "openssl" is available in "/usr/bin", things should work out 
of the
box. Just point your browser to "http://localhost:4200/".

If that doesn't work, that would be a bug. But I'd need to know more details to
figure out how your system is different from other Debian machines.

I've also tried running SIAB with the same command line arguments mentioned on 
the 
man page:

" shellinaboxd -c certificates -g shellinaboxd

  If  the  certificates  directory  exists and is writable by the shellinaboxd 
group, self-signed SSL certificates will be generated in this directory. 
Running 
this command as root allows  any  user on the system to log in at http://
localhost:4200/.  Sessions will automatically be promoted to SSL/TLS."

The shellinaboxd group doesn't exist (I don't know if that's a typo in the man 
page, 
or a problem with the Debian package). So I used -g shellinabox (that's the 
group 
name created by the installer). 

Then if I point the browser to http://localhost:4200/ I can login wihtout any 
problems. However, the session is never promoted to SSL/TLS (or at least the 
browser 
doesn't show any visual cues about that, like the URL changing to https or a 
warning 
about a self-signed certificate). 

Just to discard permission related problems, I've run chmod 777 
/tmp/certificates, 
but I still get the same behaviour (i.e., http access works OK, but session 
doesn't 
get promoted to SSL).

Also, openssl is installed: 

ii  openssl                                                       0.9.8c-4etch5

and the openssl command is available under /usr/bin

I'd be happy to provide any additional information required in order to 
diagnose 
this problem.

Thank you for pointing out the misleading example in the manual page. I'll 
update that.

In the meantime, do you have Google Talk enabled? If so, that might be the 
easiest
way to debug this issue, if you have a few minutes time.

Installing SIAB on a virtual machine running Lenny seems to work. I say "seems" 
because I get a certificate.pem file under /tmp/certificates as soon as I run 
shellinaboxd -c /tmp/certificates -g shellinabox (on the Etch box, that file 
isn't 
created when issuing the same command).

Howevever, when I access http://lennyhost:4200, then connection gets redirected 
to 
https, and then Firefox gives this message: "Firefox can't connect securely to 
lennyhost because the site uses a security protocol which isn't enabled" (I'm 
not 
quite soure about what that really means).

The certificate.pem file has a 0 byte length, so I guess that something must be 
wrong:

-r-------- 1 nobody shellinabox 0 2009-07-12 16:23 certificate.pem

If i create the certificate manually under /var/lib/shellinabox by running 
openssl 
req -x509 -nodes -days 7300 -newkey rsa:1024 -out certificate.pem  -subj '/
CN=localhost/', and then run SIAB using the same command that is used by the 
script 
on init.d (/usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c 
/var/
lib/shellinabox -p 4200 -u shellinabox -g shellinabox --no-beep), the behavior 
is 
still the same (http works fine, https doesn't).

ls /var/lib/shellinabox -l 

-rwxrwxrwx 1 shellinabox shellinabox 790 2009-07-12 17:25 certificate.pem
-rwxrwxrwx 1 shellinabox shellinabox 887 2009-07-12 17:25 privkey.pem


I'll try to run SIAB on an official Debian Lenny LiveCD and see what happens.