Bug 63924 - SSLProxyMachineKeyFile
Summary: SSLProxyMachineKeyFile
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-14 10:44 UTC by Hendrik T. Voelker
Modified: 2019-11-14 10:44 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hendrik T. Voelker 2019-11-14 10:44:54 UTC 
The mod_ssl module is missing a SSLProxyMachineKeyFile option.

Currently you are forced to add the secret key to the certificate file. This is problematic for three reasons:

- Combining public and secret data in one file can lead to involuntary exposure of the secret data. E.g when someone asks for the certificate and gets blindly forwarded the certificate file without someone checking first if it also contains a secret key. Another example is limited to Unix systems where it can happen that the combination file does not get restrictive enough file permissions (0444 instead of 0400).

- Certificate and secret key do change on separate occasions and would always require either a file edit or a compile action to produce the correct file

- Easy reuse of data used to configure the web server is not possible, you have to compile an additional file that combines secret key and certificate

So in principle the same reasons as for SSLCertificateKeyFile apply.