httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] RE: ssl pass phrase dialog on startup
Date Mon, 18 Nov 2002 11:42:54 GMT
Did you read the post before? Which category are you in?

(Answer the "NOT OK" one)

>-----Original Message-----
>From: Dan Rossi [mailto:daniel@electroteque.org]
>Sent: Montag, 18. November 2002 12:40
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>
>
>i have given examples before i have setup virtual hosts in ssl.conf
>
>https://www.blueskyhost.com:445
>
>https://www.electroteque.org:445
>
>same server , same ip
>
>-----Original Message-----
>From: Boyle Owen [mailto:Owen.Boyle@swx.com]
>Sent: Monday, November 18, 2002 9:54 PM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>
>
>The golden rule is that SSL VHS have to be distinguishable 
>using only TCP/IP
>attributes. HTTP attributes (like the Hostname) are not 
>accessible during
>SSL negotiation.
>
>In other words, they can be on different IPs or ports or both. So:
>
>ip1:443, ip2:443 is OK,
>ip1:443, ip1:445 is OK,
>ip1:443, ip2:445 is OK.
>
>sitename1:443 and sitename2:443 (where sitename1 and sitename2 
>= same ip) is
>NOT OK. This is name based VH and doesn't work since the 
>sitename is an HTTP
>attribute.
>
>Rgds,
>
>Owen Boyle
>
>>-----Original Message-----
>>From: Dan Rossi [mailto:daniel@electroteque.org]
>>Sent: Montag, 18. November 2002 11:48
>>To: users@httpd.apache.org
>>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>>
>>
>>so regarding my last question , can ssl be setup as i have made it on
>>virtualhosts or do i need a seperate ip for each ssl site ?
>>
>>-----Original Message-----
>>From: Boyle Owen [mailto:Owen.Boyle@swx.com]
>>Sent: Monday, November 18, 2002 8:58 PM
>>To: users@httpd.apache.org
>>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>>
>>
>>Use the passphrase by all means, if you think it is necessary. The
>>downside is that a passphrase-knower has to be on 24-hr 
>callout and the
>>response time for getting the server back up depends on
>>getting that guy
>>to the keyboard. For the dubious security gain it provides 
>(practically
>>none), I don't think it's worth the hassle.
>>
>>As regards vulnerability via backups - I wouldn't backup
>>/usr/local/apache/conf/ssl.key. If you want a copy of the key, keep it
>>on a floppy in a safe.
>>
>>The "corrupt employee" scam beats any security scheme you can 
>think of,
>>including the floppy-in-a-safe. The only really, really 
>secure scheme I
>>can think of is dual-key - but Richard Prior got round even that in
>>Superman 3 :-)
>>
>>>-----Original Message-----
>>>From: Howarth, Richard [mailto:rhowarth@sgb.co.uk]
>>>Sent: Montag, 18. November 2002 10:48
>>>To: 'users@httpd.apache.org'
>>>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>>>
>>>
>>>> Having said that, my personal opinion is that there not
>>much point to
>>>> the passphrase - an SSL server should be highly secure
>>>> anyway, with the
>>>> cert readable only by root so theft of the cert should be as
>>>difficult
>>>> as finding out the passphrase - i.e. anyone who can copy the
>>>> cert has to
>>>> have root privilege and so would know the passphrase anyway.
>>>
>>>Or it can be as easy as obtaining a backup -  either by
>>theft, careless
>>>handling of backup media or simply making an offer to a lowly
>>>paid operator
>>>that they can't refuse.  The certificate can then be 
>restored and used
>>>without recourse to root privilege.
>>>
>>>Once it is out in the wild, you have lost it.
>>>
>>>> I think the
>>>> safest way to run is without passphrase but with a highly secure
>>>> webserver.
>>>
>>>The passphrase is another layer in the security onion.
>>>Whether or not you
>>>should be using it will depend upon the nature of your
>>>business, your local
>>>data protection laws and what the people who audit your
>>>company accounts and
>>>practices think.
>>>
>>>For private use and small business it may not be an issue, but in an
>>>increasingly litigious world it is worth thinking twice before making
>>>yourself culpable by willfully failing to implement or 
>circumventing a
>>>security feature.
>>>
>>>Richard.
>>>
>>>
>>>IMPORTANT INFORMATION & CONFIDENTIALITY NOTICE
>>>
>>>The information in this Email is confidential and may be
>>>legally privileged.
>>>It is intended solely for the
>>>named recipient.  Access to this e-mail by anyone else is
>>>unauthorised.  If
>>>you are not the intended recipient
>>>or the employee or agent responsible for delivering the 
>message to the
>>>recipient named, please note that any
>>>use, disclosure, copying, distribution of this Email or any
>>>action taken or
>>>omitted to be taken in reliance
>>>on it is prohibited.  If you are not the intended recipient,
>>>please inform
>>>us by returning a copy of the
>>>Email with the subject line marked "wrong address" and then
>>>deleting the
>>>Email, and any attachments and any
>>>copies of it.
>>>
>>>Any questions should be directed to mailto:administrator@harsco.com
>>>
>>>Harsco uses regularly updated anti-virus software in an
>>>attempt to reduce
>>>the possibility of infection.
>>>However we do not guarantee that any attachments to this email
>>>are virus
>>>free.
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP
>>>Server Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>This message is for the named person's use only. It may contain
>>confidential, proprietary or legally privileged information. No
>>confidentiality or privilege is waived or lost by any mistransmission.
>>If you receive this message in error, please notify the 
>sender urgently
>>and then immediately delete the message and any copies of it from your
>>system. Please also immediately destroy any hardcopies of the message.
>>You must not, directly or indirectly, use, disclose, 
>distribute, print,
>>or copy any part of this message if you are not the intended 
>recipient.
>>The sender's company reserves the right to monitor all e-mail
>>communications through their networks. Any views expressed in this
>>message are those of the individual sender, except where the message
>>states otherwise and the sender is authorised to state them to be the
>>views of the sender's company.
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message