httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: [users@httpd] How to start Apache automatically with certificate?
Date Mon, 01 Sep 2008 15:44:42 GMT
Hi Ingrid,

On Aug 28, 2008, at 6:31 AM, Tan, Liao wrote:

> Ok, ic I can simply remove the passphrase, and provided the new key  
> be readabale by root only, I should not have any security  
> problems... is it simply remove it? or any other settings,  
> configuratios, re-installation?

What has been proposed is that you decrypt the private key and have  
Apache use that, so it won't prompt for a password when it starts up.   
This requires no reconfiguration except to point Apache to the file  
that contains the decrypted private key.

Giving the key read-only permissions for only the root user is a good  
idea.  You should end up with permisions that look like -r-------- and  
root ownership in the ls -l output for the key file.

The discussion on whether to start Apache as root is off-topic for  
this thread, and potentially harmful.  Apache starts as root for two  
very good reasons: 1) to bind to low-numbered ports and b) to open log  
files for writing in locations to which its children can't write.  The  
server reads the configuration files (and the private key file) while  
it is still root, and its children inherit that configuration, and the  
open file descriptors for the sockets and the log file, after they  
change user id.

Because the children changer user id, they can't write to the log  
directory, or in fact anywhere except directories like /tmp.  They  
also can't read that private key file which offers some protection,  
although they have a copy of the key sitting in memory for use in SSL  
handshakes.  If someone were to find and exploit a vulnerability in  
the server software that allows them to read the entire memory space  
of the server, they can find that key.  But this is true whether or  
not the private key was encrypted to begin with.

Does this give you enough security?  That depends on how much security  
you need.  The address from which you post suggests that you are in  
the financial service industry, and you might want to look into  
requirements within your company regarding private key protection.   
You don't tell us whether this is an Internet-facing server or not  
(and we really don't have to know), but please realize that if anyone  
were to retrieve the private key of your website, they can use that  
key and the certificate to impersonate your website with a simple DNS  
spoofing attack.

You could look into protecting the private key with a Hardware  
Security Module or HSM.  An HSM protected key can only be used within  
the secure envelope of the HSM, so even if someone were to steal the  
key material they couldn't use it because the HSM stays behind in your  
data center.  HSM protected keys can be configured to allow unattended  
starts of the server, without having to type passphrases.  I work for  
a company that makes HSMs: contact me offline if you want to chat  
about this option.

S.

-- 
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




Mime
View raw message