Comment 3 for bug 1335652

Thanks for reporting this issue; however, I do not believe this is a security fix, rather a simple reliability fix.

he PHP team has been clear that the interpreter is not designed nor intended to provide any kind of security layer and scripts executing in the interpreter should be considered to have full, legitimate, access to everything that is available to the PHP interpreter.

In this case that means that TLS private keys available to mod_ssl are intentionally available to all PHP scripts running via mod_php. Any administrator that wants to keep TLS private keys away from PHP must use a mechanism such as CGI, FastCGI, or PHP FPM to execute the scripts in a different address space and with different privileges.

Thanks