On Jan 15, 2012 12:58 PM, "Mauro Santos" <registo.mailling<registo.mailling@gmail.com> @ <registo.mailling@gmail.com>gmail.com <registo.mailling@gmail.com>> wrote:
On 15-01-2012 16:38, Audric Schiltknecht wrote:
Upstream says (http://<http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
redmine.lighttpd.net <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> /projects/1/wiki/ <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> Docs:SSL <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>) that
the SSL password must be enter manually on each lighttpd start (or to remove the passwod from the key file, which I don't want to do :))
Just out of curiosity (and maybe learn something) why not? If you have the certificate and the password stored together then I'd say the password is not protecting much.
I'm not aware of a reason to lock the keyfile ... fairly standard AFAIK. Though if you wanted to get fancy, you could probably store the pass in the kernel and use some request-key/keyctl trickery to pull it out when needed ... would need to be loaded at least once on boot, but its the same place SSH/GPG keeps your keys IIRC, so it's safe ... ... maybe enc the password with your TPM, then decrypt into kernel keyring, then load into openssl when requested ... :-O Or just unlock the keyfile. -- C Anthony