> Has anyone ever used the ``SSLPassPhraseDialog exec:/path/to/program''
> facility?... How does that work exactly?
[snip, repeat, in answer to an earlier posting]
the following (global server config only) will do the trick:
SSLPassPhraseDialog exec:/path/to/script/get_pass
where get_pass is a script, executable etc. that picks up the server identifiers passed to it when mod_ssl/Apache starts up.
mod_ssl then sends:
ServerName:port
as the first argument to get_pass, and get_pass is called once for the global server config (if SSLEngineOn) and once for each SSL-enabled virtual server.
Below is a highly simplified Perl script that does the job. You could also have this script get the actual passwords via a secure channel, like an ssh tunnel to a remote machine that was physically secure, and thereby avoid having even a root.root 0700 file on the unsecure server with the plain text passphrases in.
#!/usr/bin/perl
# check which virutal's passphrase is required and send it to STDOUT
if ($ARGV[0] =~ /^ssl\.host1\.co\.uk/) {
print "hubble bubble toil and trouble";
}
elsif ($ARGV[0] =~ /^ssl\.host2\.com/) {
print "a c&y%t*c passh phrase";
}
elsif ($ARGV[0] =~ /^ssl\.host3\.to/) {
print "passphrase number three";
}
Nothing can be 100% secure of course but the above is better than castrating the private keys completely I think.
Mark
Mark Tiramani FREDO Internet Services [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
