Bug#136052: apache-ssl in woody/stable can't use encrypted keys
Hi Ben,
> The Apache configuration is read twice, once before detaching and once
> after. So, the second passphrase read is caused by the second config
> read. Of course, it'll also fail if Apache is restarted, which is why my
> advice is normally to not have a passphrase on the key (since its stored
> in memory in the Apache process, the value of passphrasing it is dubious
> in any case).
I think that reading the key from the memory is still a bit harder
for a script kiddie than reading the key from a file, so it is worth
keeping the key protected by a passphrase.
Anyway, we are forced to use encrypted keys by our CA policy, which
is beyond reasoning :-)
So I'm trying to figure out what to do. As Christoph pointed out,
the problem arises from reading the config file while already
being detached from the tty. Could you give us a hint how to fix
that? Which change in the code might have broken it? Password
protected keys worked well with potato apache-ssl and still work
with our Apache/1.3.26 Ben-SSL/1.48 (AIX) server, so there
seems to be a chance to fix the flaw in debian
apache-ssl-1.3.26.1+1.48.
Or would you recommend us to change to mod_ssl or apache 2.x?
Thanks, Thomas
Reply to: