[users@httpd] Re: Graceful Restart fails because of SSL Keys with Passphrase?

[Andrew Schulman <an...@alumni.utexas.net>]

> I've seen people recommending removing the passphrase or using SSLPassPhraseDialog.
> But I'd prefer to use pass-phrases and graceful restart if possible.

Understand that if you keep passphrases on your keys, and you get Apache to
restart without prompting you for them, then what you've done is to force
Apache to store the passphrases somewhere on disk, unencrypted.  It has to
do that, so it can read the passphrases when it starts.

So in that case, you haven't improved the security of your server or SSL
keys.  All you've done is trade the need to protect the unencrypted SSL
keys, for the need to protect the file where Apache is storing the
passphrases.  Personally I prefer the former, because I know where the key
files are, but I don't know where Apache stores the passphrases.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Graceful Restart fails because of SSL Keys with Passphrase?

[Andrew Schulman <an...@alumni.utexas.net>]

> Maybe I should ask a more distinct question first:
> 
> When we use "apachectl graceful", is the expected functionality that apache does not ask for pass-phrases again?  Presumably because it has the decrypted keys already in memory?  Or, does apache restart they key loading process all over again?
> 
> Presently, sometimes it doesn't ask, sometimes it does.

I'm sorry, I think I misunderstood your question before.  I was thinking of a
full restart, not a "graceful" restart, aka reload.

If I understand the docs right, the same main server process will normally
continue, just rereading its configuration files.  I would think the expected
behavior would be not to reprompt, since the passphrases are already stored in
memory.  But I don't see that in the docs anywhere.  


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Graceful Restart fails because of SSL Keys with Passphrase?

[Shahriar Aghajani <ag...@principle.com>]

Hi,

Thanks for the responses.

Maybe I should ask a more distinct question first:

When we use "apachectl graceful", is the expected functionality that apache does not ask for pass-phrases again?  Presumably because it has the decrypted keys already in memory?  Or, does apache restart they key loading process all over again?

Presently, sometimes it doesn't ask, sometimes it does.

Thank you for your help,
Shahriar.

On 2013-02-13, at 12:49 PM, Andrew Schulman <an...@alumni.utexas.net> wrote:

>> I've seen people recommending removing the passphrase or using SSLPassPhraseDialog.
>> But I'd prefer to use pass-phrases and graceful restart if possible.
> 
> Understand that if you keep passphrases on your keys, and you get Apache to
> restart without prompting you for them, then what you've done is to force
> Apache to store the passphrases somewhere on disk, unencrypted.  It has to
> do that, so it can read the passphrases when it starts.
> 
> So in that case, you haven't improved the security of your server or SSL
> keys.  All you've done is trade the need to protect the unencrypted SSL
> keys, for the need to protect the file where Apache is storing the
> passphrases.  Personally I prefer the former, because I know where the key
> files are, but I don't know where Apache stores the passphrases.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org