httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Schulman <and...@alumni.utexas.net>
Subject [users@httpd] Re: Graceful Restart fails because of SSL Keys with Passphrase?
Date Wed, 13 Feb 2013 17:49:19 GMT
> I've seen people recommending removing the passphrase or using SSLPassPhraseDialog.
> But I'd prefer to use pass-phrases and graceful restart if possible.

Understand that if you keep passphrases on your keys, and you get Apache to
restart without prompting you for them, then what you've done is to force
Apache to store the passphrases somewhere on disk, unencrypted.  It has to
do that, so it can read the passphrases when it starts.

So in that case, you haven't improved the security of your server or SSL
keys.  All you've done is trade the need to protect the unencrypted SSL
keys, for the need to protect the file where Apache is storing the
passphrases.  Personally I prefer the former, because I know where the key
files are, but I don't know where Apache stores the passphrases.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message