The passphrase for TLS private key password encryption is stored in plaintext, there is still risk of information leak, this does not comply with security regulations of commercial scenarios. Maybe HTTPD should implement some more secure way to store sensitive configurations. https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL <IfModule mod_ssl.c> SSLEngine on SSLProtocol TLSv1.2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE SSLCertificateFile /etc/server.crt SSLCertificateKeyFile /etc/server.key SSLVerifyDepth 10 SSLOptions +StdEnvVars </IfModule>
I'm not sure what "password encryption is stored in plaintext" means. With mod_ssl you can do any of: a) use a plaintext-on-disk key file b) use an encrypted-on-disk key file which is unencrypted in memory using a passphrase supplied at startup c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)
(In reply to Joe Orton from comment #1) > I'm not sure what "password encryption is stored in plaintext" means. > > With mod_ssl you can do any of: > > a) use a plaintext-on-disk key file > b) use an encrypted-on-disk key file which is unencrypted in memory using a > passphrase supplied at startup > c) use a PKCS#11 module which encapsulates the key (e.g. in hardware) https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL <IfModule mod_ssl.c> SSLEngine on SSLProtocol TLSv1.2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE SSLCertificateFile /etc/server.crt SSLCertificateKeyFile /etc/server.key SSLVerifyDepth 10 SSLOptions +StdEnvVars </IfModule> When apache starts, /etc/server.key is plaintext(In reply to Joe Orton from comment #1) > I'm not sure what "password encryption is stored in plaintext" means. > > With mod_ssl you can do any of: > > a) use a plaintext-on-disk key file > b) use an encrypted-on-disk key file which is unencrypted in memory using a > passphrase supplied at startup > c) use a PKCS#11 module which encapsulates the key (e.g. in hardware)