On Sun, Jan 24, 1999 at 12:12:36PM +0100, Ralf S. Engelschall wrote:
> On Sun, Jan 24, 1999, Bodo Moeller wrote:
>> What I'm looking for is a possiblity to start httpd which can _not_
>> ask for passphrases even if someone screwed up the configuration
>> files. [...]
[...]
> And is a script which starts "httpd -t", "ssleay x509 -noout -text -in
> And what I don't understand is this: When you don't use encrypted private
> keys, a passphrase will _never_ happen. When you use encrypted private keys
> it will happen _everytime_.
The issue is fragility: I want a server setup with cleartext server
keys (or possibly with passphrases provided via some other program so
that an attacker would have to obtain more than just one file); but
even if someone thoughtlessly creates a new encrypted key (e.g. for an
additional virtual host) or changes the wrong part of httpd.conf
(e.g. the SSLPassphraseDialog directive) the booting procedure MUST
NOT be stopped because the machine has to perform other services
(e.g. plain HTTP via seperate server software) even if the HTTPS
software cannot start for some reason. So the rc.* directory needs a
script that starts up the SSL-aware Apache server and which is
GUARANTEED not to delay booting no matter what happened to Apache's
configuration and key files: All the software is allowed to do is
complain loudly, but only if this takes a limited amount of time.
Maybe this can already be done somehow (don't give httpd access to a
terminal?), but I'm not sure how.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
