From owner-freebsd-security Thu Apr 25 12: 7:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-22-238.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id EBA7537B400 for ; Thu, 25 Apr 2002 12:07:15 -0700 (PDT) Received: from Master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-22-238.client.attbi.com (8.12.2/8.12.2) with ESMTP id g3PJ70Ht090499; Thu, 25 Apr 2002 12:07:00 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from Master.gorean.org (zoot [127.0.0.1]) by Master.gorean.org (8.12.2/8.12.2) with ESMTP id g3PJ72Lr069849; Thu, 25 Apr 2002 12:07:02 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by Master.gorean.org (8.12.2/8.12.2/Submit) with ESMTP id g3PJ70Z1069846; Thu, 25 Apr 2002 12:07:02 -0700 (PDT) X-Authentication-Warning: Master.gorean.org: doug owned process doing -bs Date: Thu, 25 Apr 2002 12:07:00 -0700 (PDT) From: Doug Barton X-X-Sender: doug@master.gorean.org To: ANdrei Cc: security@FreeBSD.org Subject: Re: apache In-Reply-To: <3CC851E7.3529C7AB@abc.ro> Message-ID: <20020425120502.B69694-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ I'm sorry to say, this topic isn't appropriate for freebsd mailing lists. It's purely an apache question. ] On Thu, 25 Apr 2002, ANdrei wrote: > let me give you a scenario that i want solved :) > > i have a webserver that needs to run apache with SSL (httpd -SSL, if i > remember correctly), but the server is not considered to be secure > enough to have an unencrypted key on it's hard drives... so the key is > crypted, but then, again, apache is unable to start with SSL enabled if > somebody doesn't enter the passphrase by hand... i'm talking about > apache with mod-ssl, it's one of many big servers, and any minute of it > not being up is a big pain in the ass, so starting apache on every > server every time by entering the passphrase by hand is not what i am > looking for... starting it from a script where the passphrase is plain > text is also considered to be insecure for what i need.... You can't have it both ways. If you want the key to be encrypted, the password has to be entered when the server starts up. Any automated solution would be sufficiently insecure by nature, and roughly equivalent to leaving the password unencrypted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message