> I've seen people recommending removing the passphrase or using SSLPassPhraseDialog. > But I'd prefer to use pass-phrases and graceful restart if possible. Understand that if you keep passphrases on your keys, and you get Apache to restart without prompting you for them, then what you've done is to force Apache to store the passphrases somewhere on disk, unencrypted. It has to do that, so it can read the passphrases when it starts. So in that case, you haven't improved the security of your server or SSL keys. All you've done is trade the need to protect the unencrypted SSL keys, for the need to protect the file where Apache is storing the passphrases. Personally I prefer the former, because I know where the key files are, but I don't know where Apache stores the passphrases. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|