Re: httpd with SSL

2004-09-07 Thread Cristi Tauber 
 Yee ... thanks a lot.

   Cristi

On Mon, 2004-09-06 at 18:20, Josh Hansen wrote:
 Cristi Tauber wrote:
 
 Hello,
 I installed from ports (switched from sources ... hope to learn :) )
 apache 1.3.29 with mod-ssl. All good ... httpd works ... i issued a
 certificate ... but now when my computer reboots and apache starts in
 ssl mode it asks for pass phrase !!! So ... if computer reboots over
 night someone have to write the pass phrase so the computer can start.
 This is annoying ... how can i skip this ... can i enter the passphrase
 in my boot script ? How ???
 
  Cristi
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
   
 
 Hello Cristi,
 
 This is from the apache site:
 
 How can I get rid of the pass-phrase dialog at Apache startup time?
 
 The reason why this dialog pops up at startup and every re-start is that 
 the RSA private key inside your server.key file is stored in encrypted 
 format for security reasons. The pass-phrase is needed to be able to 
 read and parse this file. When you can be sure that your server is 
 secure enough you perform two steps:
 
1. Remove the encryption from the RSA private key (while preserving 
 the original file):
 
   $ cp server.key server.key.org
   $ openssl rsa -in server.key.org -out server.key
 
2. Make sure the server.key file is now only readable by root:
 
   $ chmod 400 server.key
 
 Now server.key will contain an unencrypted copy of the key. If you point 
 your server at this file it will not prompt you for a pass-phrase. 
 HOWEVER, if anyone gets this key they will be able to impersonate you on 
 the net. PLEASE make sure that the permissions on that file are really 
 such that only root or the web server user can read it (preferably get 
 your web server to start as root but run as another server, and have the 
 key readable only by root).
 
 As an alternative approach you can use the ``SSLPassPhraseDialog 
 exec:/path/to/program'' facility. But keep in mind that this is neither 
 more nor less secure, of course.
 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: httpd with SSL

2004-09-06 Thread Josh Hansen 
Cristi Tauber wrote:
   Hello,
   I installed from ports (switched from sources ... hope to learn :) )
apache 1.3.29 with mod-ssl. All good ... httpd works ... i issued a
certificate ... but now when my computer reboots and apache starts in
ssl mode it asks for pass phrase !!! So ... if computer reboots over
night someone have to write the pass phrase so the computer can start.
This is annoying ... how can i skip this ... can i enter the passphrase
in my boot script ? How ???
Cristi
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
 

Hello Cristi,
This is from the apache site:
How can I get rid of the pass-phrase dialog at Apache startup time?
The reason why this dialog pops up at startup and every re-start is that 
the RSA private key inside your server.key file is stored in encrypted 
format for security reasons. The pass-phrase is needed to be able to 
read and parse this file. When you can be sure that your server is 
secure enough you perform two steps:

  1. Remove the encryption from the RSA private key (while preserving 
the original file):

 $ cp server.key server.key.org
 $ openssl rsa -in server.key.org -out server.key
  2. Make sure the server.key file is now only readable by root:
 $ chmod 400 server.key
Now server.key will contain an unencrypted copy of the key. If you point 
your server at this file it will not prompt you for a pass-phrase. 
HOWEVER, if anyone gets this key they will be able to impersonate you on 
the net. PLEASE make sure that the permissions on that file are really 
such that only root or the web server user can read it (preferably get 
your web server to start as root but run as another server, and have the 
key readable only by root).

As an alternative approach you can use the ``SSLPassPhraseDialog 
exec:/path/to/program'' facility. But keep in mind that this is neither 
more nor less secure, of course.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]