Hi, Am 06.11.2015 um 21:10 schrieb martin f krafft: > Having both the key and cert in one file could be considered a > feature. But since the two data have different security models, and > we do not have in-file differentiation (e.g. protect the key while > let people read the cert), using two files is the only sensible way.
while I know that it's common practice to have the key in a different file with tighter security mode, I don't see any security advantage in it. I would make both files available read-only to the software in question only. The software, ejabberd in this case, needs access to both anyway. The only advantage with separate files I can think of is when a 3rd-party software wants/needs to access the public certificate, but then I would simply throw the public part into /etc/ssl/certs/. Anyway, I opened an issue with this feature request in the upstream bug tracker at https://github.com/processone/ejabberd/issues/826 . Anybody is welcome to send Pull-Requests for changes that implement this. Regards, -- .''`. Philipp Hübner <philipp.hueb...@debalance.de> : :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F `. `'` Jabber: phil...@debalance.de, Skype: philipp-huebner `- We are the Power inside, we bring you Fantasy. We are the Kingdom of Light and Dreams, Gnosis and Life: Avantasia!
signature.asc
Description: OpenPGP digital signature
