httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Thu, 14 Nov 2013 11:54:31 GMT
On Thu, Nov 14, 2013 at 07:02:58AM +0100, Kaspar Brand wrote:
> On 13.11.2013 15:28, Dr Stephen Henson wrote:
> > I can vaguely recall that some of that code is designed to avoid the need to
> > enter the private key passphrase more than once by decrypting private keys once
> > and storing the unencrypted forms in serialised form.
> 
> True, it allows to SIGHUP/SIGUSR1 httpd without having to reenter a
> passphrase. But my point is a different one, actually: why do we want to
> enable users to protect file-based keys with a pass phrase in the first
> place? As the article on the Symantec (formerly Securityfocus) site
> says: "It is not only inconvenient, but also gives a false sense of
> security."

I've also always been a sceptic of this (mis)feature, so I hate to be 
one to defend it.  But demand comes from:

a) people who want the ability to do filesystem backups without exposing 
private keys to the set of admins who can read such backups; or e.g. 
stick keys on NFS mounts, a similar requirement there.

b) people who like or are required to follow "security by checklist" or 
"security by regulator"; some auditor has "No Plaintext Keys !!!" on the 
checklist, and so we must not use plaintext keys, no argument.

I'm most sceptical of all about (b) as motivation for increasing 
software complexity, but (a) I can at least appreciate.

Regards, Joe

Mime
View raw message