On Jan 31, 2014, at 4:52 AM, Reindl Harald <[email protected]> wrote:
> Hi > > one small issue with ssl-certs: > they must be readable by the ats-user > > httpd reads them at startup before downgrade uid/gid > the benefit is that they can have chmod 400 and owned by root > in case of a security relevant bug that may prevent leaks https://issues.apache.org/jira/browse/TS-2353 https://issues.apache.org/jira/browse/TS-612 Ron Barber has been working on this for 4.2 and I expect that we will land these changes soon. In the longer terms I'd like to support the Linux kernel key management API, which I believe will give you better options for controlling access to keys. > _________________________ > > my personal issue is that we distribute the wildcard-cert to all > relevant machines in a own directory which chmod 400 and after > the cert expires and is re-newed the admin server can distribute it > > for now i need to make a ats-readable copy because a hard-link > would have the same permissions on both and in case of fire up > the distribute script they are reset > >
