Aaron Dalton wrote:
AFAIK there is no way around this. If you do not want Apache to wait for a pass phrase, you have to strip the private key of encryption. This of course has multiple security problems, but I'm afraid those are your only options that I am aware of.$ openssl rsa -in encryptedkey.pem -out strippedkey.pem
Of course providing a passphrase response program introduces just as many (if not more) security problems. Your best bet is to make certain that strippedkey.pem is previously touch'ed, chmod'ded 600 and owned by root before you invoke the command, above. Provided you start apache as root and have it setuid to another User/Group, this is the safest course. The certs/keys will be slurped up during the config phase, and while the server is running no cgi would have access to its contents. Bill --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|