On Jan 31, 2014, at 8:32 AM, Reindl Harald <[email protected]> wrote:
> > > Am 31.01.2014 17:24, schrieb James Peach: >> On Jan 31, 2014, at 4:52 AM, Reindl Harald <[email protected]> wrote: >> >>> one small issue with ssl-certs: >>> they must be readable by the ats-user >>> >>> httpd reads them at startup before downgrade uid/gid >>> the benefit is that they can have chmod 400 and owned by root >>> in case of a security relevant bug that may prevent leaks >> >> https://issues.apache.org/jira/browse/TS-2353 >> https://issues.apache.org/jira/browse/TS-612 >> >> Ron Barber has been working on this for 4.2 and I expect that we will land >> these changes soon. In the longer terms I'd like to support the Linux kernel >> key management API, which I believe will give you better options for >> controlling access to keys. > > have i said often enough "thank you" for such a responsible upstream project > like ATS? Full marks to the Yahoo engineers, who have been driving the SSL improvements in 4.2. SSL support was formerly somewhat neglected so it's very timely and appreciated work :) J
