Hi, Thanks for the responses. Maybe I should ask a more distinct question first: When we use "apachectl graceful", is the expected functionality that apache does not ask for pass-phrases again? Presumably because it has the decrypted keys already in memory? Or, does apache restart they key loading process all over again? Presently, sometimes it doesn't ask, sometimes it does. Thank you for your help, Shahriar. On 2013-02-13, at 12:49 PM, Andrew Schulman <andrex@xxxxxxxxxxxxxxxxx> wrote: >> I've seen people recommending removing the passphrase or using SSLPassPhraseDialog. >> But I'd prefer to use pass-phrases and graceful restart if possible. > > Understand that if you keep passphrases on your keys, and you get Apache to > restart without prompting you for them, then what you've done is to force > Apache to store the passphrases somewhere on disk, unencrypted. It has to > do that, so it can read the passphrases when it starts. > > So in that case, you haven't improved the security of your server or SSL > keys. All you've done is trade the need to protect the unencrypted SSL > keys, for the need to protect the file where Apache is storing the > passphrases. Personally I prefer the former, because I know where the key > files are, but I don't know where Apache stores the passphrases. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|