Steffen Dettmer wrote:
> > BTW, a few months ago we had a long thread about this topic.
> > Look inside the sw-mod-ssl mailing list archives for details.
>
> Sorry, I couldn't find it... I crawled through lot's of mails, but such a
> discussion I haven't found...
Hmmm ... there was certainly much discussion on the Apache-SSL list,
perhaps its there?
> What's about the feature "SSLPassPhraseDialog exec:/path/to/program" ?
> The manual tells: "The intent is that this external program first runs
> security checks to make sure that the system is not compromised by an
> attacker, and only when these checks were passed successfully it provides
> the Pass Phrase"
> What kind of security checks are possible? I think it's at least very
> difficult to make a diffrence between server and good hacker: the same
> IP, UID, calling situation and so on may be faked easyly (or:easy?).
>
> Does somebody have a good idea?
It is my opinion that this kind of check is completely impossible, which
is why I don't support this option in Apache-SSL - it would only give
people a false sense of security. I completely agree with your
assessment of the situation. I do support passphrases, but they must be
entered from the console - not from a file, or program, and I advise
that they, IMO, provide no worthwhile protection at all.
I think it is regrettable that many people who run SSL servers are not
in a position to make a judgement on security practices, so it is good
that you raise these points, again, for discussion, for those who were
not around for the last marathon.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
