From owner-freebsd-security Thu Apr 25 12:32:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 9134937B419 for ; Thu, 25 Apr 2002 12:32:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g3PJWBOc022964; Fri, 26 Apr 2002 07:32:11 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Fri, 26 Apr 2002 07:32:11 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: ANdrei Cc: security@FreeBSD.ORG Subject: Re: apache In-Reply-To: <3CC851E7.3529C7AB@abc.ro> Message-ID: <20020426072641.W22173-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 25 Apr 2002, ANdrei wrote: > let me give you a scenario that i want solved :) > > i have a webserver that needs to run apache with SSL (httpd -SSL, if i > remember correctly), but the server is not considered to be secure > enough to have an unencrypted key on it's hard drives... so the key is > crypted, but then, again, apache is unable to start with SSL enabled if > somebody doesn't enter the passphrase by hand... i'm talking about > apache with mod-ssl, it's one of many big servers, and any minute of it > not being up is a big pain in the ass, so starting apache on every > server every time by entering the passphrase by hand is not what i am > looking for... starting it from a script where the passphrase is plain > text is also considered to be insecure for what i need.... Either your server has access to the key or it doesn't. If your server has access to the key then someone who gets root on the box can get the key. There is NO way around this. If you think it's any improvement, you can have your script contact another box for the passphrase, and that will mean you can at least log the event reliably. It might still involve human entry of the passphrase, but at least you can centralise that. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message