undefined | Better HN

0 pointspedrocr11y ago0 comments

You'd be forking at the start of the Apache launch before any connections so that shouldn't be much of an issue.

This construct has a much worse bug. It separates the TLS from the rest of apache so it protects against bugs in other parts of the server (HTTP parsing for example) but it doesn't separate the TLS session code from the crypto primitives, so it wouldn't protect against heartbleed. For that forking at the PKCS#11 boundary would be much safer.

Thinking about it a better OpenSSL patch than the Akamai one of protecting the memory with a different alocator would be to run the actual crypto in a different process with a well-defined IPC between that and the main library. That would give you much of the safety of a software HSM without any changes to Apache/nginx or any other TLS server.

0 comments

pedrocrOP11y ago

Actually, thinking about it some more forking at PKCS#11 driver will not fix heartbleed completely. It will stop the key being recovered but will still allow you to recover passwords and cookies. To fix it completely you'd need forking at both ends, or just using apache in forking instead of event mode.

j / k navigate · click thread line to collapse

0 pointspedrocr11y ago0 comments

You'd be forking at the start of the Apache launch before any connections so that shouldn't be much of an issue.

0 comments

pedrocrOP11y ago

j / k navigate · click thread line to collapse