RE: [users@httpd] Automating apachectl startssl on startup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Aman Raheja [mailto:araheja@xxxxxxxxxxxxxx]
> Sent: Montag, 9. Januar 2006 19:29
> To: users@xxxxxxxxxxxxxxxx; users@xxxxxxxxxxxxxxxx
> Subject: Re: [users@httpd] Automating apachectl startssl on startup
> 
> 
> Well this solution is dependent on programing skills.
> You may have a C/C++ binary which fetches the password from a 
> database (you 
> may hardcode it) and works as a wrapper to apachectl.
> This could be done using PERL/SHELL script but that would leave the 
> password exposed in the scripts, so prefer binaries.

This is a nice idea (compiling the PW into the binary is neat :-) However, you should understand the purpose of a pass-phrase on a certificate in the first place.  

A certificate does more than encrypt traffic to your site, it provides *authentication* that your site really does belong to you. A user on the web can be sure that the server responding to your domain really is operated by you. But, what happens if your server is compromised and an attacker copies your cert? He can now impersonate your site with your valid certificate! The use of a passphrase prevents this since he can't start the server unless he knows the passphrase. Putting the passphrase into a script defeats this security mechanism since the thief can steal the script too (whether the passphrase is compiled in or not doesn't help - he just runs the script). It's the SSL equivalent of leaving the key under the mat...

An alternative viewpoint is to consider that if you are running an SSL server, you must have some sensitive data to protect. If so, you'd better make sure the server is secure! That means FW, up-to-date patches, limited access etc. If you do all that properly (and you should) how can anyone steal the cert? Therefore a passphrase is unnecessary. Put it another way, if your setup allows someone to steal the cert, you shouldn't be running an SSL server in the first place...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


 
> HTH
> Aman Raheja
> 
> On Mon, 9 Jan 2006 12:56:57 -0500, "Kaplan, Andrew H." 
> <AHKAPLAN@xxxxxxxxxxxx> wrote :
> 
> > 
> > Hi there -
> > 
> >  
> > 
> > Is there a way to have an apache 1.3.34 server 
> automatically start with 
> ssl
> > enabled on system boot? Currently, I need to
> > 
> > start the server manually and enter the pass-phrase 
> associated with the
> > certificate. How can this be done without admin
> > 
> > intervention? Thanks. 
> > 
> > 
> > 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux