On Thu, Aug 16, 2001 at 06:35:40PM +0800, Pablo Manalastas wrote:
>
> On Thu, 16 Aug 2001, Miguel A.L. Paraz wrote:
>
> > OK here's a practical problem. How can you restart a SSL webserver
> > without prompting for a password from the tty? Either you store the private
> > key unencrypted, but in the "safe" place being sought; or encrypt it, but
> > keep the password/phrase - much smaller in terms of bytes - "safe".
>
> I think the problem is when the machine reboots after a power
> failure, the SSL webserver asks for the passphrase that you used to
> encrypt the server's private key. If you are not around to supply
> it, what happens? I think it is simpler to just store the server's
> private key unencrypted in a safe place (file and directory permissions
> to /home/httpd/conf/ssl.key should be appropriate).
>
Besides, if your SSL box gets rooted, I just thought that the now
root-level cracker could just dump /proc/kmem and look for the server
private key in the entrails of the running apache. Well, LIDS is
supposed to prevent that if it works as advertised...
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311
Programmer, InterdotNet Philippines +63(917) 4458925
http://dido.engr.internet.org.ph/ OpenPGP Key ID: 0x5CDA17D8
PGP signature
