[Re: [lug] Apache + SSL]

rm at mamma.varadinet.de rm at mamma.varadinet.de
Fri Aug 18 02:47:15 MDT 2000


On Thu, Aug 17, 2000 at 06:46:52PM -0600, PC Drew wrote:
> Thus spake Justin on Thursday, August 17, 2000, 12:37:17 PM:
> 
> J> Is this common practice making server keys without passphrases? Or is it
> J> relatively insecure? I don't mind having to enter the passphrase. I'm just
> J> trying to make it so the server can come back up on it's own in the case that
> J> it crashed (but of course that never happens  :) or a power outage. Thanks
> J> again for the help.
> 
> use expect!  That's what it's for!  The URL is http://expect.nist.gov.

And what difference would that make? The issue here is: You encrypt your 
private SSL key so that noone can abuse it _even_ if he/she has
physical access to the key (i.e. can read/copy it from the harddrive). 
Since this key is used to authenticate your part of a bussiness transaction
it's important that noone can mess with it. 
It doesn't make a difference whether your key doesn't have a passphrase or
you store the passphrase in an expect script--the net result is the same:
any intruder can abuse your key once the system is cracked.
(Oh, by the way: if you need high web security: get rid of /proc/nnn/mem ... ;-)


 Ralf






More information about the LUG mailing list