Old topic ssl private key with passphrase
Maxim Dounin
mdounin at mdounin.ru
Wed Apr 23 16:19:04 UTC 2014
Hello!
On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:
> Dear nginx developers.
>
> What is necessary that you take hands on the topic 'private key passphrase'?
>
> e.g.: http://trac.nginx.org/nginx/ticket/433
>
> [ ] donation
> [ ] time
> [ ] leasure
> [ ] other: ......
>
> Maybe not as much options as in apache httpd
>
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog
>
> but at least one.
Igor explained his position on this more than once: unless you are
actually using something external to enter key passwords, there is no
difference with unencrypted keys from security point of view
(assuming proper access rights are used for keys). And as far as
we know, no or almost no users of Apache's SSLPassPhraseDialog use
it this way, most just use "echo 'password'" or something like.
So the question is: why do you need it?
(I'm aware of at least one more or less valid answer which almost
convinced me that we should add it, but it's not about security,
but rather about social engineering.)
> I found this entry in the ml from 2012, is this a possible solution for
> nginx OSS core?
>
> http://marc.info/?t=131494347400003&r=1&w=2
No.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list