Moritz wrote:
But still I think it's never a good idea to write a password in plain
text in any file. If the password is stored in plain text and
something goes wrong an attacker could be able to steal my private key
and use it. And this would be really bad.
Obviously, this depends on your web site's "hacker desirability), but if
they can read your server.xml, they can likely hijack your entire web
app and install their exploit into your existing pages since the SSL
encryption is in the clear for the webapp itself and thus they can see
whatever data was entered by users. So, if you cannot secure your
server.xml, then your entire web app is vulnerable to attacks EVEN IF
they couldn't get the password to your private key.
Stealing your SSL cert private key is probably worth less and harder to
exploit than simply changing your login page or the like to capture user
credentials (of course, such changes can be discovered using tools like
snort). A stolen set of SSL cert keys is harder to exploit and hide.
Therefore I'm looking for a possibility to pass the password via the
console.
This has been discussed many times before. I'm sure if you write code
that allows this to work, some will want to use it, too. It's open
source after all... And you can always put httpd in front since it's
openssl implementation allows for cert password prompts.
David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
