[brlug-general] Where do you put your SSL files?

Tim Fournet tfournet at tfour.net
Wed Nov 28 09:10:27 CST 2007 

If you're assuming that the machine is compromised by a savvy attacker, 
then yeah, he would read the key out of RAM. But I'd argue that it's a 
couple of degrees harder to get a memory dump and know what to do with 
it than finding and stealing a file that says 
ultra-secure-ssl-key-do-not-steal-please.crt.

Another option, and if you're doing heavy SSL you should consider this 
anyway, is to use an appliance that does the SSL for you. This goes 
between the router/firewall and the web server, and handles all the SSL 
traffic, encrypting and decrypting in the middle. The web server never 
even knows that it's doing SSL sessions. By "appliance" I can be 
referring to either a commercial device, or there are some how-tos on 
doing it with Squid, iirc


-ray wrote:
> True, but if it's in Apache memory, the key is still online.  As far as I 
> know Apache doesn't do any in-memory key protection, so an intruder could 
> just dump Apache memory and the key should be in there clear text.
>
> A more common practice is to put a passphrase on the private key.  This is 
> pretty inconvenient as you have to type in the passphrase at every apache 
> restart.  And if an intruder can read your filesystem protected key file, 
> then the server is probably compromised anyway (see 1st paragraph).
>
> If Apache did some kind of memory protection on the key, then some of the 
> protection techniques we've been discussing might be feasible.  Otherwise 
> they're probably just obfuscation.
>
> ray
>
>
> On Wed, 28 Nov 2007, Tim Fournet wrote:
>
>   
>> Actually, you only need the private key when _starting_ apache. After
>> it's started, it's loaded in memory and you can take your key offline.
>> Some people go through the trouble of protecting their keys by doing
>> things like only having the volume with the private keys mounted during
>> a startup process, then making the server unable to reach them
>> afterwards. One option would be to keep the keys on a USB drive, and
>> removing that drive after apache starts. Or maybe create a modified
>> filesystem driver that only works if `uptime` is less than a certain
>> amount, and format your ssl-key partition with that filesystem
>>     
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>

More information about the General mailing list