Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 34638 invoked from network); 1 Sep 2008 15:46:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Sep 2008 15:46:41 -0000 Received: (qmail 20117 invoked by uid 500); 1 Sep 2008 15:46:29 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 20102 invoked by uid 500); 1 Sep 2008 15:46:29 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 20091 invoked by uid 99); 1 Sep 2008 15:46:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Sep 2008 08:46:29 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_HELO_PASS,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [207.106.84.159] (HELO atlas.jtan.com) (207.106.84.159) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Sep 2008 15:45:30 +0000 X-JTAN-Outgoing-From: sctemme@apache.org X-JTAN-Outgoing-To: X-JTAN-Received: c-76-102-90-27.hsd1.ca.comcast.net [76.102.90.27] X-JTAN-Recipient: X-JTAN-AntiSPAM: not spam, Outgoing not scanned X-JTAN-AntiVirus: Found to be clean, Outgoing not scanned Received: from legadema.sandla.org (c-76-102-90-27.hsd1.ca.comcast.net [76.102.90.27]) (authenticated bits=0) by atlas.jtan.com (8.12.8p1/8.12.8) with ESMTP id m81Figqp031932 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Mon, 1 Sep 2008 15:44:44 GMT Message-Id: <8582E4A0-9F67-4E96-B80E-2620FCEF16FE@apache.org> From: Sander Temme To: users@httpd.apache.org In-Reply-To: <61A49EACE4B520449427D0FF6DB5E76006874AEC@exlbrmb07.lac.nsroot.net> Content-Type: multipart/signed; boundary=Apple-Mail-38--688969592; micalg=sha1; protocol="application/pkcs7-signature" Mime-Version: 1.0 (Apple Message framework v928.1) Date: Mon, 1 Sep 2008 08:44:42 -0700 References: <61A49EACE4B520449427D0FF6DB5E76006874AEC@exlbrmb07.lac.nsroot.net> X-Mailer: Apple Mail (2.928.1) X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] How to start Apache automatically with certificate? --Apple-Mail-38--688969592 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi Ingrid, On Aug 28, 2008, at 6:31 AM, Tan, Liao wrote: > Ok, ic I can simply remove the passphrase, and provided the new key > be readabale by root only, I should not have any security > problems... is it simply remove it? or any other settings, > configuratios, re-installation? What has been proposed is that you decrypt the private key and have Apache use that, so it won't prompt for a password when it starts up. This requires no reconfiguration except to point Apache to the file that contains the decrypted private key. Giving the key read-only permissions for only the root user is a good idea. You should end up with permisions that look like -r-------- and root ownership in the ls -l output for the key file. The discussion on whether to start Apache as root is off-topic for this thread, and potentially harmful. Apache starts as root for two very good reasons: 1) to bind to low-numbered ports and b) to open log files for writing in locations to which its children can't write. The server reads the configuration files (and the private key file) while it is still root, and its children inherit that configuration, and the open file descriptors for the sockets and the log file, after they change user id. Because the children changer user id, they can't write to the log directory, or in fact anywhere except directories like /tmp. They also can't read that private key file which offers some protection, although they have a copy of the key sitting in memory for use in SSL handshakes. If someone were to find and exploit a vulnerability in the server software that allows them to read the entire memory space of the server, they can find that key. But this is true whether or not the private key was encrypted to begin with. Does this give you enough security? That depends on how much security you need. The address from which you post suggests that you are in the financial service industry, and you might want to look into requirements within your company regarding private key protection. You don't tell us whether this is an Internet-facing server or not (and we really don't have to know), but please realize that if anyone were to retrieve the private key of your website, they can use that key and the certificate to impersonate your website with a simple DNS spoofing attack. You could look into protecting the private key with a Hardware Security Module or HSM. An HSM protected key can only be used within the secure envelope of the HSM, so even if someone were to steal the key material they couldn't use it because the HSM stays behind in your data center. HSM protected keys can be configured to allow unattended starts of the server, without having to type passphrases. I work for a company that makes HSMs: contact me offline if you want to chat about this option. S. -- Sander Temme sctemme@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF --Apple-Mail-38--688969592 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGPDCCAvUw ggJeoAMCAQICEGQKMmrovbmsDFmEErKvcDUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYxNzE4MzYwOVoXDTA5MDYxNzE4MzYw OVowWzEOMAwGA1UEBBMFVGVtbWUxDzANBgNVBCoTBlNhbmRlcjEVMBMGA1UEAxMMU2FuZGVyIFRl bW1lMSEwHwYJKoZIhvcNAQkBFhJzY3RlbW1lQGFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDYnHoZmQYVE9cAnYC+qePb2mCJriBvehvoNBO9Z/c4Zf2dJrXQQYUbXPxO hIklkgZph5RQV6CtIKiEnu7wseHM3q0huvNR2OhlZ8BggluV5nVX0BoyMG1ZWmM1v6ldT3uE5mGr 1qb2zOzrSYVoyA7V6d1OVV9/QOna3BAU/0TmfbG5VsclZS/V8GAsLU5rbuj8Tqu6mDJncw0mH4nV 7IIXtU/scqDl1QLtcHBLsajFtdXICAPUficOmcGZsfZz1rZs8jx2p1AOY+0LoMqXjtTbE1Jey3o2 20Hi5KqaKsbmgXpY8cAi4sKNTMEfgejrosKXL40L6ol244C6uNJ4eQddAgMBAAGjLzAtMB0GA1Ud EQQWMBSBEnNjdGVtbWVAYXBhY2hlLm9yZzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GB AFZUHxJtpZwO6wbBf4lwU853P4DB335zug918adjGXECE4Jz70bMK87qLMY7UJKRXhYt40gG0o7b pTsEHoF8dY3MVuFpOaY8bDDZ92NfVMC/Zuh7xZJG66ilEe/Ns44oVo4S8R5SgF7Y0ONNmaBJSKEb Dt0LDMTCZfcL85X9SjVuMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UE BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQK ExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIz NTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph 8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4H v0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQI MAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQD ExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+ whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FX JY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAw ggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkp IEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBkCjJq 6L25rAxZhBKyr3A1MAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTA4MDkwMTE1NDQ0MlowIwYJKoZIhvcNAQkEMRYEFLdWHtGFSsT7hlRYWVvp /lIfhMTQMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg SXNzdWluZyBDQQIQZAoyaui9uawMWYQSsq9wNTCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNV BAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQZAoyaui9uawMWYQSsq9wNTANBgkq hkiG9w0BAQEFAASCAQCmfRU6GrdZG4jle45o3obUNGUQ52pK/+ayKbtVdKqNM6pFCz0JDGXne0fG f8rp553x2agCtyEGQTAXn1mjoHqsfQBjtlU+y1azbzB63JjAK6HQ2Qfezq32GYcuTyUsGwjky8Jz MgvXobs8LUe7PGjGApluYeTF58pwqcAN5cJ4T4dopkvwWzzP9H3McXbyrWtYh7eYqCDVD8a4Ct1r 2qnDWcGgPmZTDtNLKYObi0f7fng/E9W8Iam8B3Cy7my84HcDyERDcFYwcQnJgd3+L8R624peEs5d vdgvFtjqV5yN5rGxKU2mP+HxqbSxwHsP/gQcjfstyO7z697GxMx0sq+qAAAAAAAA --Apple-Mail-38--688969592--