httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Fri, 06 Dec 2013 00:22:13 GMT
On 12/5/2013 6:17 PM, Daniel Ruggeri wrote:
> On 11/14/2013 5:54 AM, Joe Orton wrote:
>> a) people who want the ability to do filesystem backups without exposing 
>> private keys to the set of admins who can read such backups; or e.g. 
>> stick keys on NFS mounts, a similar requirement there.
>> b) people who like or are required to follow "security by checklist" or 
>> "security by regulator"; some auditor has "No Plaintext Keys !!!" on the 
>> checklist, and so we must not use plaintext keys, no argument.
>> I'm most sceptical of all about (b) as motivation for increasing 
>> software complexity, but (a) I can at least appreciate.
> c) Like a, the system has lots of users on it that aren't necessarily
> trusted (application developers who look at logs) that shouldn't have
> access to the key.
> d) If any bug/exploit in an application running on the same box or in
> httpd is found allowing an arbitrary remote file to be read, an attacker
> could easily locate the key (since most httpd.conf files are in
> predictable locations) and read it remotely. An even worse case is a
> server admin accidentally exposing / due to ignorance and/or malice...
> but I can't really defend those guys much :-).
> Also worth noting, other SSL implementations protect their keys. Java,
> for example has a password on the keystore and an optional, additional
> password on the key object. I'd say that if the implementation supports
> it, httpd should try to accommodate it... there is no limit to what some
> people are willing to do in order to increase their apparent security
> posture.
> --
> Daniel Ruggeri

I don't mean to say that a password protecting the file is "secure"...
but it adds a layer, and (most) layers are good.

Daniel Ruggeri

View raw message