[Bug 63924] New: SSLProxyMachineKeyFile

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63924] New: SSLProxyMachineKeyFile

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63924

            Bug ID: 63924
           Summary: SSLProxyMachineKeyFile
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

The mod_ssl module is missing a SSLProxyMachineKeyFile option.

Currently you are forced to add the secret key to the certificate file. This is
problematic for three reasons:

- Combining public and secret data in one file can lead to involuntary exposure
of the secret data. E.g when someone asks for the certificate and gets blindly
forwarded the certificate file without someone checking first if it also
contains a secret key. Another example is limited to Unix systems where it can
happen that the combination file does not get restrictive enough file
permissions (0444 instead of 0400).

- Certificate and secret key do change on separate occasions and would always
require either a file edit or a compile action to produce the correct file

- Easy reuse of data used to configure the web server is not possible, you have
to compile an additional file that combines secret key and certificate

So in principle the same reasons as for SSLCertificateKeyFile apply.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]