On Mon, 09 Nov 1998 11:18:19 GMT,
Ralf S. Engelschall <[EMAIL PROTECTED]> wrote:
> On Mon, Nov 09, 1998, Trung Tran-Duc wrote:
>
> > On Mon, 09 Nov 1998 10:03:23 GMT,
> > Ralf S. Engelschall <[EMAIL PROTECTED]> wrote:
> >
> > > [...]
> > > This way we init SSLeay on every init under DSO/DLL situation but not under
> > > Unix/non-DSO. And the pass phrase handling is done only on the first init.
> >
> > Rhetoric question: what would happen if I change the mod_ssl config,
> > the new private key file is encrypted with _different_ pass phrase and
> > I restart Apache? Of course Apache cannot regain the terminal to ask
> > for the pass phrase. Is it correct? In this case will it fail or hang
> > in reading from an invisible terminal?
>
> No, it'll not hang because we don't cache the pass phrase. We cache the
> private key itself. So on restarts the private key (and certificate file) is
> _NOT_ reloaded from disk. It's provided to SSLeay again, yes - but from the
> cache. Because as we discussed some time ago, caching the pass phrase is more
> a security problem than directly caching the private key (because SSLeay
> caches the private key itself, too).
>
> So we should not have any pass phrase handling problems here.
it means that if I want to change the private key, I have to shutdown
the server and start it again; it does not suffice to send a restart
signal. Right?
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]