httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Rossi" <dan...@electroteque.org>
Subject RE: [users@httpd] RE: ssl pass phrase dialog on startup
Date Mon, 18 Nov 2002 11:39:44 GMT
i have given examples before i have setup virtual hosts in ssl.conf

https://www.blueskyhost.com:445

https://www.electroteque.org:445

same server , same ip

-----Original Message-----
From: Boyle Owen [mailto:Owen.Boyle@swx.com]
Sent: Monday, November 18, 2002 9:54 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup


The golden rule is that SSL VHS have to be distinguishable using only TCP/IP
attributes. HTTP attributes (like the Hostname) are not accessible during
SSL negotiation.

In other words, they can be on different IPs or ports or both. So:

ip1:443, ip2:443 is OK,
ip1:443, ip1:445 is OK,
ip1:443, ip2:445 is OK.

sitename1:443 and sitename2:443 (where sitename1 and sitename2 = same ip) is
NOT OK. This is name based VH and doesn't work since the sitename is an HTTP
attribute.

Rgds,

Owen Boyle

>-----Original Message-----
>From: Dan Rossi [mailto:daniel@electroteque.org]
>Sent: Montag, 18. November 2002 11:48
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>
>
>so regarding my last question , can ssl be setup as i have made it on
>virtualhosts or do i need a seperate ip for each ssl site ?
>
>-----Original Message-----
>From: Boyle Owen [mailto:Owen.Boyle@swx.com]
>Sent: Monday, November 18, 2002 8:58 PM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>
>
>Use the passphrase by all means, if you think it is necessary. The
>downside is that a passphrase-knower has to be on 24-hr callout and the
>response time for getting the server back up depends on
>getting that guy
>to the keyboard. For the dubious security gain it provides (practically
>none), I don't think it's worth the hassle.
>
>As regards vulnerability via backups - I wouldn't backup
>/usr/local/apache/conf/ssl.key. If you want a copy of the key, keep it
>on a floppy in a safe.
>
>The "corrupt employee" scam beats any security scheme you can think of,
>including the floppy-in-a-safe. The only really, really secure scheme I
>can think of is dual-key - but Richard Prior got round even that in
>Superman 3 :-)
>
>>-----Original Message-----
>>From: Howarth, Richard [mailto:rhowarth@sgb.co.uk]
>>Sent: Montag, 18. November 2002 10:48
>>To: 'users@httpd.apache.org'
>>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>>
>>
>>> Having said that, my personal opinion is that there not
>much point to
>>> the passphrase - an SSL server should be highly secure
>>> anyway, with the
>>> cert readable only by root so theft of the cert should be as
>>difficult
>>> as finding out the passphrase - i.e. anyone who can copy the
>>> cert has to
>>> have root privilege and so would know the passphrase anyway.
>>
>>Or it can be as easy as obtaining a backup -  either by
>theft, careless
>>handling of backup media or simply making an offer to a lowly
>>paid operator
>>that they can't refuse.  The certificate can then be restored and used
>>without recourse to root privilege.
>>
>>Once it is out in the wild, you have lost it.
>>
>>> I think the
>>> safest way to run is without passphrase but with a highly secure
>>> webserver.
>>
>>The passphrase is another layer in the security onion.
>>Whether or not you
>>should be using it will depend upon the nature of your
>>business, your local
>>data protection laws and what the people who audit your
>>company accounts and
>>practices think.
>>
>>For private use and small business it may not be an issue, but in an
>>increasingly litigious world it is worth thinking twice before making
>>yourself culpable by willfully failing to implement or circumventing a
>>security feature.
>>
>>Richard.
>>
>>
>>IMPORTANT INFORMATION & CONFIDENTIALITY NOTICE
>>
>>The information in this Email is confidential and may be
>>legally privileged.
>>It is intended solely for the
>>named recipient.  Access to this e-mail by anyone else is
>>unauthorised.  If
>>you are not the intended recipient
>>or the employee or agent responsible for delivering the message to the
>>recipient named, please note that any
>>use, disclosure, copying, distribution of this Email or any
>>action taken or
>>omitted to be taken in reliance
>>on it is prohibited.  If you are not the intended recipient,
>>please inform
>>us by returning a copy of the
>>Email with the subject line marked "wrong address" and then
>>deleting the
>>Email, and any attachments and any
>>copies of it.
>>
>>Any questions should be directed to mailto:administrator@harsco.com
>>
>>Harsco uses regularly updated anti-virus software in an
>>attempt to reduce
>>the possibility of infection.
>>However we do not guarantee that any attachments to this email
>>are virus
>>free.
>>
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message