httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shahriar Aghajani <aghaj...@principle.com>
Subject Re: [users@httpd] Graceful Restart fails because of SSL Keys with Passphrase?
Date Thu, 28 Feb 2013 22:33:32 GMT
Hi,

Thanks for the responses.

Maybe I should ask a more distinct question first:

When we use "apachectl graceful", is the expected functionality that apache does not ask for
pass-phrases again?  Presumably because it has the decrypted keys already in memory?  Or,
does apache restart they key loading process all over again?

Presently, sometimes it doesn't ask, sometimes it does.

Thank you for your help,
Shahriar.

On 2013-02-13, at 12:49 PM, Andrew Schulman <andrex@alumni.utexas.net> wrote:

>> I've seen people recommending removing the passphrase or using SSLPassPhraseDialog.
>> But I'd prefer to use pass-phrases and graceful restart if possible.
> 
> Understand that if you keep passphrases on your keys, and you get Apache to
> restart without prompting you for them, then what you've done is to force
> Apache to store the passphrases somewhere on disk, unencrypted.  It has to
> do that, so it can read the passphrases when it starts.
> 
> So in that case, you haven't improved the security of your server or SSL
> keys.  All you've done is trade the need to protect the unencrypted SSL
> keys, for the need to protect the file where Apache is storing the
> passphrases.  Personally I prefer the former, because I know where the key
> files are, but I don't know where Apache stores the passphrases.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message