> Am 22.02.2019 um 12:03 schrieb Ruediger Pluem <[email protected]>: > > > > On 02/21/2019 12:46 AM, Daniel Ruggeri wrote: >> Hi, all; >> I was approached to see if I would be interested/willing to work on code to >> support encrypted client keys for the proxy. > > You mean encrypted private keys for SSL client authentication? > You might remember that discussion from 2013 then where you took part: > > https://lists.apache.org/thread.html/5d4fbc62cb07a3550af4f516d007973c385389cace202d217f6b74c1@1384351589@%3Cdev.httpd.apache.org%3E
Interesting. Thanks, RĂ¼diger. In mod_md, there is no mechanism besides file permissions to protect private keys of server certificates. However, new keys, generated as less-privileged user, are stored encrypted. When the server reloads and copies them into a "root" form they are converted to unencrypted. The passphrase sits in memory during this time, because. Generic security scenarios where the attacker gets root access to file system / memory rapidly become unconstructive, I find. One needs to focus on a more specific scenarios and requirements to get anywhere. -Stefan
