Michael Robinson wrote:
>
> Patrik Carlsson <[EMAIL PROTECTED]> writes:
> >You could remove your key passphrase - but it's not recommended for obvious
> >security reasons!
>
> Everyone says that, but I've never seen anyone elucidate on the so-called
> "obvious" reasons.
>
> The key file is protected by root-read-only permissions. Only someone with
> root access can read the file. If someone has root access, they can gcore
> your running daemon and extract your private key from the core dump with just
> a little more work.
>
> >From my point of view, the key passphrase gives people a false sense of
> security (as well as added inconvenience).
Exactly, and this is why Apache-SSL does not support any mechanism for
automating passphrases - we recommend you remove them altogether and
protect your machine with your life (or at least your money).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
