> > ... somewhere in a core dump from httpd ...
> That's why most Unix platforms do not create core files for daemon processes
> running under or started as UID=0 (root).
I thought that is "overrideable" using "ulimit -c 10000000" ?
> > A different way would be to use a patched httpd/OpenSSL, which dumps all
> > passphrases is a file or so.
>
> Not really, because neither mod_ssl nor OpenSSL stores the pass phrase.
> Only the key itself is stored in memory.
Yeah, I meant a PATCHED version! Some lines of extra code, and it _does_
store it ;)
> just needs root access and can immediately read your key from disk. When
> you've it encrypted he also has to steal it from the running process. Sure,
Or the hacker uses a mini wrapper around httpd, that copies the passphrase
to file (something like the function of "tee").
Next server start he would had the phrase...
> One thing is actually true: You always have to protect the webserver machine
> itself as best as it can be. Just using a pass phrase on the keys is not
> enough, of course.
YES at all!!! We have very strict TCP-Wrappers and so on...
(it's easy to deny access to such "dedicated" servers for anything except
web)
> BTW, a few months ago we had a long thread about this topic.
> Look inside the sw-mod-ssl mailing list archives for details.
Sorry, I couldn't find it... I crawled through lot's of mails, but such a
discussion I haven't found...
What's about the feature "SSLPassPhraseDialog exec:/path/to/program" ?
The manual tells: "The intent is that this external program first runs
security checks to make sure that the system is not compromised by an
attacker, and only when these checks were passed successfully it provides
the Pass Phrase"
What kind of security checks are possible? I think it's at least very
difficult to make a diffrence between server and good hacker: the same
IP, UID, calling situation and so on may be faked easyly (or:easy?).
Does somebody have a good idea?
oki,
Steffen
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
