[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls private key

To: Alexander Samad <alex@samad.com.au>
Subject: Re: tls private key
From: Tyler Gates <tgates81@gmail.com>
Date: Thu, 25 Mar 2010 21:09:46 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:x-mailer :mime-version:subject:date:cc; bh=ci87nlL4qNIqWZyomijg99TM2HoQ66t4U97SIF1hs3c=; b=GR2MQb0yLvvoqcICw07UYj9VjYpNpeSbs8PImSvR4VT6XuWxRuXXvnwG2OCJpYuRD2 P/zdLhRieiSL/SJF8i+345lXi11lk43TQLggq1s/ESADS1epfJWiuXyANm/rUr6Gwsal JRW73jMI15BAgK6wnQIUMmxMjTT/01drCfE/c=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:x-mailer:mime-version:subject:date:cc; b=IO2lX9SVtJG+Fcnvfak2kK2hjXNMfJC2BF8wszdJexb9NO7r4yR4ut9hmtJ4yw6xvF dCmr3/2Wa4LjecUS+nv0P3gXqNzlPm+5c4cHo01LqYGFpprCxmv97eTdF8kTPKE/PRsP ZnteucKOa2lAEam0dg2keH+lxcWit22Yssg1k=
In-reply-to: <836a6dcf1003251532u113cf248lffd7c92323bbd922@mail.gmail.com>
References: <20100116070338.GD2439@samad.com.au> <836a6dcf1003222320r711a471di5a4697fefcc038b5@mail.gmail.com> <6C447584419BFE4E83D46E88F81314862FAEB36DEB@EXCH07-05.apollogrp.edu> <836a6dcf1003251532u113cf248lffd7c92323bbd922@mail.gmail.com>

Alex,

encrypting the private key really isn't necessary and I highlydoubt it would work for your application nor be worth the hassel.Securing via file permisssions as mentioned previously is really thebest way to tackle this. Think of 'other layers of protection' beingfirewalls, intrusion detection, restricted logins, chroot jails, etc.,etc...Encryption really works best for UDP like transportation like emailwhere you cannot guarantee the recipient is the only person able to'see' the document ;)


On Mar 25, 2010, at 6:32 PM, Alexander Samad <alex@samad.com.au> wrote:

On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs
<Chris.Jacobs@apollogrp.edu> wrote:
Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of
being in trouble from the parents
I don't know if they only get read at startup or not... but it doesbring up the question: Why?
I would like to have another layer of protection on the machine /
certificates. I would have thought it would have been a quick and easy
question - yes I could go and read the src,  but.
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn'tor you don't want to have access to these files - you /reallyshould/ fix that issue first. Then trust the file systempermissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certspassword protected, and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you knowthe answer. Just get used to restarting/starting slapd being aneedless PITA.
not sure where you got the idea I haven't already done this ?

And I am note sure why its bad to look for another layer of security
Thanks,
- chris

-----Original Message-----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org[mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of AlexanderSamad
Sent: Monday, March 22, 2010 11:21 PM
To: openldap-technical@openldap.org
Subject: Fwd: tls private key

Hi
THought I would re ask, do certificates only get read at start up,I store my cert's with password, can i unpassword protect and thenstart slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?

Alex


---------- Forwarded message ----------
From: Alex Samad <alex@samad.com.au>
Date: Sat, Jan 16, 2010 at 6:03 PM
Subject: tls private key
To: openldap-technical@openldap.org


Hi
I am setting up my sync repl to use certificates, my problem is Idon't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read atslapd load up time, ie can i unencrypt the file start slapd andthen remove the un encrypted file ?
Alex


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
=iN8i
-----END PGP SIGNATURE-----
This message is private and confidential. If you have received itin error, please notify the sender and remove it from your system.

Follow-Ups:
- Re: tls private key
  - From: Alexander Samad <alex@samad.com.au>

References:
- Fwd: tls private key
  - From: Alexander Samad <alex@samad.com.au>
- RE: tls private key
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: tls private key
  - From: Alexander Samad <alex@samad.com.au>

Prev by Date: Re: tls private key
Next by Date: Re: tls private key
Index(es):
- Chronological
- Thread