> Am 22.02.2019 um 12:03 schrieb Ruediger Pluem <rpl...@apache.org>:
> 
> 
> 
> On 02/21/2019 12:46 AM, Daniel Ruggeri wrote:
>> Hi, all;
>> I was approached to see if I would be interested/willing to work on code to 
>> support encrypted client keys for the proxy.
> 
> You mean encrypted private keys for SSL client authentication?
> You might remember that discussion from 2013 then where you took part:
> 
> https://lists.apache.org/thread.html/5d4fbc62cb07a3550af4f516d007973c385389cace202d217f6b74c1@1384351589@%3Cdev.httpd.apache.org%3E

Interesting. Thanks, RĂ¼diger.

In mod_md, there is no mechanism besides file permissions to protect private 
keys of server certificates. However, new keys, generated  as less-privileged 
user, are stored encrypted. When the server reloads and copies them into a 
"root" form they are converted to unencrypted. The passphrase sits in memory 
during this time, because.

Generic security scenarios where the attacker gets root access to file system / 
memory rapidly become unconstructive, I find. One needs to focus on a more 
specific scenarios and requirements to get anywhere.

-Stefan

Reply via email to