Re: [apache-ssl] pass phrase for key

To: apache-ssl@lists.aldigital.co.uk
Subject: Re: [apache-ssl] pass phrase for key
From: John Sutton <list@scl.co.uk>
Date: Sat, 04 Jul 1998 16:57:12 +0100
Delivered-to: mailing list apache-ssl@lists.aldigital.co.uk
Mailing-list: contact apache-ssl-help@lists.aldigital.co.uk; run by ezmlm
Organization: http://www.apache-ssl.org
Reply-to: apache-ssl@lists.aldigital.co.uk

At 14:21 04/07/98 +0100, you wrote:
>tech wrote:
>> 
>> Hi,
>> Thanks to all on this list. I have been combing the archive for help to
>> get my apache-ssl operational and found the help I needed.
>> 
>> For those who might still be stuck you might find some help at
>> https://secure.halhinet.on.ca/ It is working at the moment. Comments and
>> critiques would also be welcome. (IE3 won't go there use Netscape)
>> 
>> Here's my problem.
>> My key file was created with a pass phrase as recommended by the people at
>> Thawte. However, when the server boots it does not stop to ask for the
>> pass phrase (I think because of Ben's workaround - Skip first time
>> initialisation) and I get an error
>> 
>> SSL disabled for server www.dudley.halhinet.on.ca:80
>> SSL disabled for server www.bishop.haliburton.on.ca:80
>> Enter PEM pass phrase:
>> Error reading private key file /usr/local/apache/conf/halhinet.on.ca.key:
>> 18576:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:
>> pem_lib.c:110
>> :18576:error:0906A068:PEM routines:PEM_do_header:bad password
>> read:pem_lib.c:387:
>> [Sat Jul  4 00:39:07 1998] gcache started
>> 
>> Currently the server is running on a self assigned key+cert.
>
>Yeah, this is a consequence, I'm told, of leaving initialisation 'til
>the second round. I don't usually use pass phrases, so I didn't notice.
>I'll try to find a fix for it for the next release.

Just checking here, Ben.  You disabled one of the initialisation passes
precisely because it would be annoying to have to enter the passphrase for
each key file twice over... but (as it turns out!) you don't even get one
chance to enter the passphrases?

More generally, I intend to run without passphrases because I can't be on
hand every time the server restarts (Question: if you send httpsd a sig USR1
- after adding a new virtual server to httpd.conf, for example - does that
necessitate reading the keys again?) but that does worry me a bit.  Not that
my server is not 100% secure of course ;-) but still, it does start to
become more of a worry now I'm moving into offering SSL services.  Do other
people take any extra precautions in this respect?  Sensitive question, of
course!  I have in mind such as putting the keys "somewhere else" and copy
them into one of the "usual places" just before httpsd starts and delete
them afterwards.  None of which of course changes the essence of the
problem, it just makes it more difficult to find the goodies if root is
compromised.




***************************************************
John Sutton
SCL Computer Services
URL http://www.scl.co.uk/
Tel. +44 (0) 1239 621021
***************************************************

Follow-Ups:
- Re: [apache-ssl] pass phrase for key
  - From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: Re: [apache-ssl] pass phrase for key
Next by Date: Re: [apache-ssl] Newbie Questions
Previous by thread: Expired, or not yet valid date
Next by thread: Re: [apache-ssl] pass phrase for key
Index(es):
- Date
- Thread