"Ralf S. Engelschall" wrote:
>
> On Tue, Aug 17, 1999, Ben Laurie wrote:
>
> > > > I've checked through your ideas and it seems to me that they could be
> > > > made to work with Apache-SSL (and hence, probably, mod_ssl), so long as
> > > > the keys don't have passphrases.
> > > >
> > > > The point of the preload of keys/certs its to get passphrases while you
> > > > still have a tty, nothing else.
> > >
> > > If this is really the case then you can even go with
> > > passphrase protected keys. At least mod_ssl has pass
> > > phrase caching, so you only need to load them once
> > > completely to get the passphrases and then load them
> > > whenever you need them.
> >
> > I consider passphrase caching to be an unacceptable security risk.
>
> The passhrases are cached only for the duration of the interactive terminal
> dialog, Ben. They are wiped out from memory after this. See
> ssl_engine_pphrase.c for details. There is even an info message logged "Init:
> Wiped out the queried pass phrases from memory" to inform the user about this.
> I think this approach has to be considered "unacceptable"...
Fine. However, after I wrote this I realised it was irrelevant for mass
virtual hosting, anyway,since you don't know what keys you want to
decode until someone connects to the vhost. Therefore, only
passphraseless keys work in general.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
