httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: agent-based framework for httpd private keys
Date Sun, 09 Feb 2014 07:15:37 GMT
On 07.02.2014 01:58, Daniel Kahn Gillmor wrote:
> As part of the goal of dropping encrypted private key support, have you
> considered using an agent-based framework for private keys?

I haven't, no, since an important aspect of that goal is to reduce
complexity in code. Dropping ssl_load_encrypted_pkey and friends from
trunk amounts to a reduction of about 5% of mod_ssl's ~15,000 LoC right now.

> Anyway, with some sort of agent-based approach, you could preserve
> encrypted keys-on-disk (for Joe Orton's examples of admins with access
> to full-machine backups, or secret-keys-on-NFS) while leaving apache
> agnostic about the way the keys get *into* the agent.

Putting the decrypted keys on a RAM disk (tmpfs etc.) is a much more
straightforward way to achieve this, IMO, with the benefit of being able
to rely on a well-established method for configuring private keys (and
not having to introduce another non-standard layer for performing
private key operations).


View raw message