[Bug 66016] New: The passphrase for TLS private key password encryption is stored in plaintext

bugzilla Tue, 19 Apr 2022 03:30:55 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=66016


            Bug ID: 66016
           Summary: The passphrase for TLS private key password encryption
                    is stored in plaintext
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

The passphrase for TLS private key password encryption is stored in plaintext,
there is still risk of information leak, this does not comply with security
regulations of commercial scenarios. Maybe HTTPD should implement some more
secure way to store sensitive configurations.

https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol TLSv1.2
        SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
        SSLCertificateFile /etc/server.crt
        SSLCertificateKeyFile /etc/server.key
        SSLVerifyDepth 10
        SSLOptions +StdEnvVars
    </IfModule>

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 66016] New: The passphrase for TLS private key password encryption is stored in plaintext

Reply via email to