The patch of Nginx SSL: PEM pass phrase problem

James_Lee nginx-forum at nginx.us
Fri Sep 2 06:03:03 UTC 2011 

Hi,

If we configured SSL in Nginx and the Private Key files are encrypted,
then the following dialog occurs at Nginx startup time:
         Enter PEM pass phrase:

It maybe difficulty for management. Sometimes it's needed to avoid the
interactive dialogue at startup time.
So I develop the patch for Nginx ssl module. Wish it helpful!



Directive:  ssl_pass_phrase_dialog
--------------------------------------------------------------------
Description: Type of pass phrase dialog for encrypted private keys
Syntax: ssl_pass_phrase_dialog type
Default: ssl_pass_phrase_dialog builtin
Context: http, server

Usage:
--------------------------------------------------------------------
When Nginx starts up it has to read the various Certificate (see
ssl_certificate) and Private Key (see ssl_certificate_key) files of the
SSL-enabled virtual servers. Because for security reasons the Private
Key files are usually encrypted, ngx_ssl module needs to query the
administrator for a Pass Phrase in order to decrypt those files. This
query can be done in two ways which can be configured by type:

 *  builtin

    This is the default where an interactive terminal dialog occurs at
startup time. Here the administrator has to manually enter the Pass
Phrase for each encrypted Private Key file.
   
 *  exec:/path/to/program

    Here an external program is configured which is called at startup
for each encrypted Private Key file.

Example:
--------------------------------------------------------------------
(1) ssl_pass_phrase_dialog builtin;
The "Enter PEM pass phrase:" will occurs at the Nginx startup time.

(2) ssl_pass_phrase_dialog "exec:/home/ssl_files/ssl_pass_phrase.sh";
The code of ssl_pass_phrase.sh:
#!/bin/sh
echo "password"

The relevant configuration in Apache is:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog

If more information is needed, please refer to the Nginx HttpSslModule:
http://wiki.nginx.org/HttpSslModule


Patch:
--------------------------------------------------------------------
This patch has been tested in nginx-0.8.54.

The download url is :
http://www.cx.com/dl/?sn=f3c7b79133b7


Author:
--------------------------------------------------------------------
beagem#163.com  (Here # is @ in fact)

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,214641,214641#msg-214641

More information about the nginx mailing list