On Fri, Jan 22, 1999 at 01:11:04PM -0800, Tom Vaughan wrote:
> Bodo Moeller <[EMAIL PROTECTED]> writes:
>> What I'd like to have is a third variant of starting up Apache with
>> mod_ssl which enables SSL, but disables asking for passwords (so that
>> start-up might fail if the password is not available). The reason is
>> that then the SSL-enabled server can be started from init without
>> running the risk that a configuration change (a new, encrypted keyfile)
>> will prevent the machine from booting as usual the next time. (I
>> presume that the reason for introducing the difference between "start"
>> and "startssl" in apachectl is exactly that: With "start" you can't
>> disturb the host's booting procedure.)
> If your private keys are encrypted, you will always be prompted for a
> passphrase. No way around that.
>
> I think this is what you're talking about...
>
> By default, mod_ssl uses a built-in program of sorts to obtain the
> passphrase via the controlling tty. mod_ssl allows you to override this
> built-in program with some other external program. See
> SSLPassPhraseDialog. Or you could always wrap an expect script around
> apachectl.
>
> Either way, this means you'll be storing your passphrases in some form, in
> a file, in a program, or something else, which greatly reduces the security
> of your system.
What I'm looking for is a possiblity to start httpd which can _not_
ask for passphrases even if someone screwed up the configuration
files. On many machines, putting a script in an rc.* directory so
that it will be started automatically from init is not acceptable if
that script leads to even a tiny possibility that one day the booting
process might be stopped by a passphrase dialog. I am aware of the
security implications of not encrypting the server key; depending on
the application and on various other circumstances, this can be
acceptable.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
