On Mon, Nov 09, 1998, Trung Tran-Duc wrote:
> > > On Mon, 09 Nov 1998 10:03:23 GMT,
> > > Ralf S. Engelschall <[EMAIL PROTECTED]> wrote:
> > >
> > > > [...]
> > > > This way we init SSLeay on every init under DSO/DLL situation but not under
> > > > Unix/non-DSO. And the pass phrase handling is done only on the first init.
> > >
> > > Rhetoric question: what would happen if I change the mod_ssl config,
> > > the new private key file is encrypted with _different_ pass phrase and
> > > I restart Apache? Of course Apache cannot regain the terminal to ask
> > > for the pass phrase. Is it correct? In this case will it fail or hang
> > > in reading from an invisible terminal?
> >
> > No, it'll not hang because we don't cache the pass phrase. We cache the
> > private key itself. So on restarts the private key (and certificate file) is
> > _NOT_ reloaded from disk. It's provided to SSLeay again, yes - but from the
> > cache. Because as we discussed some time ago, caching the pass phrase is more
> > a security problem than directly caching the private key (because SSLeay
> > caches the private key itself, too).
> >
> > So we should not have any pass phrase handling problems here.
>
> it means that if I want to change the private key, I have to shutdown
> the server and start it again; it does not suffice to send a restart
> signal. Right?
Right, both on restarts and graceful restarts mod_ssl
reinitializes SSLeay with the already known cert/key pairs.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
