Hi,
It's recommned to use DES3-encrypted RSA Serverkeys with mod_ssl.
To steal this key, a hacker needs root permissions.
But if a hacker has root permission, it's easy to steal the DES3
passphrase too. I think at least somewhere in (RAM) memory the key is
decrypted, since the server needs the key. I think that the key is
somewhere in a core dump from httpd - and so the hacker could analyze it
and could steal the key.
A different way would be to use a patched httpd/OpenSSL, which dumps all
passphrases is a file or so.
All-in-all I think it's not more secure to use a DES3 key, since the
hacker who is able to get the keyfile, is able to get the passphrase too,
ain't???
So I cannot see the need for a passphrase at all...
What does the list mean to this question?
Thanks,
Steffen
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
