httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "SettingUpModSSL" by TomasPospisek
Date Wed, 12 Oct 2011 08:52:29 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "SettingUpModSSL" page has been changed by TomasPospisek:
http://wiki.apache.org/httpd/SettingUpModSSL?action=diff&rev1=5&rev2=6

Comment:
add refernce to document describing the removal of the SSL cert passphrase

   * Do nothing - In this case, httpd will prompt the server administrator for the passphrase
when starting the instance. This is often an undesired effect in the event you have configured
httpd to start via init scripts or are using some other method for automated startup.
   * Use SSLPassPhraseDialog "exec:/path/to/command" - there are currently only two requirements
for using this method. First, /path/to/command must be a file (TBD: will Daniel ever submit
the patch to remove this restriction?) and should be executable as the root user. Second,
the STDOUT output to /path/to/command must deliver the full passphrase. Using this method
allows you to take any security mechanisms you have in mind to any extent you can imagine
before delivering the passphrase via the /path/to/command.
   * Decrypt the key - To do this, you would need to use openssl to remove the encryption
on the key like so: openssl rsa -in key.pem -out newkey.pem
+  * See also [[RemoveSSLCertPassPhrase]]
  
  '''WARNING''': Although you may implement elaborate methods to protect your passphrase,
the httpd image in memory contains the passphrase as a string which can be obtained by triggering
a core dump (ie. in the event the root process is compromised).
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message