Bodo Moeller <[EMAIL PROTECTED]> writes:
> On Wed, Jan 20, 1999 at 03:08:08PM +0100, Ralf S. Engelschall wrote:
> > On Wed, Jan 20, 1999, Magnus Stenman wrote:
>
> >> It would be nice if httpd would check
> >> its name when starting up -- if its
> >> httpsd, define SSL, otherwise don't
>
> > The problem is that now with Apache 1.3.4 a simple --target=foobar is all you
> > need to name it "foobar". And so "httpsd" is just a historical example of a
> > name. A lot of people will use "apache", so where to start and where to end
> > with this? [...]
>
> What I'd like to have is a third variant of starting up Apache with
> mod_ssl which enables SSL, but disables asking for passwords (so that
> start-up might fail if the password is not available). The reason is
> that then the SSL-enabled server can be started from init without
> running the risk that a configuration change (a new, encrypted keyfile)
> will prevent the machine from booting as usual the next time. (I
> presume that the reason for introducing the difference between "start"
> and "startssl" in apachectl is exactly that: With "start" you can't
> disturb the host's booting procedure.)
If your private keys are encrypted, you will always be prompted for a
passphrase. No way around that.
I think this is what you're talking about...
By default, mod_ssl uses a built-in program of sorts to obtain the
passphrase via the controlling tty. mod_ssl allows you to override this
built-in program with some other external program. See
SSLPassPhraseDialog. Or you could always wrap an expect script around
apachectl.
Either way, this means you'll be storing your passphrases in some form, in
a file, in a program, or something else, which greatly reduces the security
of your system.
-Tom
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
