[brlug-general] Where do you put your SSL files?
Dustin Puryear
dustin at puryear-it.com
Sun Dec 2 18:14:50 CST 2007
Well, I think that "And if an intruder can read your filesystem
protected key file, then the server is probably compromised anyway (see
1st paragraph)" would be better phrased as "And if an intruder can read
the protected key file, then the application owning that key and the
files the application can read are probably compromised anyway".
--
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com
Author, "Best Practices for Managing Linux and UNIX Servers"
http://www.puryear-it.com/pubs/linux-unix-best-practices
Identity Management, LDAP, and Linux Integration
-ray wrote:
> True, but if it's in Apache memory, the key is still online. As far as I
> know Apache doesn't do any in-memory key protection, so an intruder could
> just dump Apache memory and the key should be in there clear text.
>
> A more common practice is to put a passphrase on the private key. This is
> pretty inconvenient as you have to type in the passphrase at every apache
> restart. And if an intruder can read your filesystem protected key file,
> then the server is probably compromised anyway (see 1st paragraph).
>
> If Apache did some kind of memory protection on the key, then some of the
> protection techniques we've been discussing might be feasible. Otherwise
> they're probably just obfuscation.
>
> ray
>
>
> On Wed, 28 Nov 2007, Tim Fournet wrote:
>
>> Actually, you only need the private key when _starting_ apache. After
>> it's started, it's loaded in memory and you can take your key offline.
>> Some people go through the trouble of protecting their keys by doing
>> things like only having the volume with the private keys mounted during
>> a startup process, then making the server unable to reach them
>> afterwards. One option would be to keep the keys on a USB drive, and
>> removing that drive after apache starts. Or maybe create a modified
>> filesystem driver that only works if `uptime` is less than a certain
>> amount, and format your ssl-key partition with that filesystem
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
More information about the General
mailing list