https://bz.apache.org/bugzilla/show_bug.cgi?id=66016
Bug ID: 66016
Summary: The passphrase for TLS private key password encryption
is stored in plaintext
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: 510584901@qq.com
Target Milestone: ---
The passphrase for TLS private key password encryption is stored in plaintext,
there is still risk of information leak, this does not comply with security
regulations of commercial scenarios. Maybe HTTPD should implement some more
secure way to store sensitive configurations.
https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
SSLCertificateFile /etc/server.crt
SSLCertificateKeyFile /etc/server.key
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</IfModule>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 66016
Summary: The passphrase for TLS private key password encryption
is stored in plaintext
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: 510584901@qq.com
Target Milestone: ---
The passphrase for TLS private key password encryption is stored in plaintext,
there is still risk of information leak, this does not comply with security
regulations of commercial scenarios. Maybe HTTPD should implement some more
secure way to store sensitive configurations.
https://cwiki.apache.org/confluence/display/HTTPD/SettingUpModSSL
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE
SSLCertificateFile /etc/server.crt
SSLCertificateKeyFile /etc/server.key
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</IfModule>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org