Old topic ssl private key with passphrase

Maxim Dounin mdounin at mdounin.ru
Wed Apr 23 16:19:04 UTC 2014


On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:

> Dear nginx developers.
> What is necessary that you take hands on the topic 'private key passphrase'?
> e.g.: http://trac.nginx.org/nginx/ticket/433
> [ ] donation
> [ ] time
> [ ] leasure
> [ ] other: ......
> Maybe not as much options as in apache httpd
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog
> but at least one.

Igor explained his position on this more than once: unless you are 
actually using something external to enter key passwords, there is no 
difference with unencrypted keys from security point of view 
(assuming proper access rights are used for keys).  And as far as 
we know, no or almost no users of Apache's SSLPassPhraseDialog use 
it this way, most just use "echo 'password'" or something like.

So the question is: why do you need it?

(I'm aware of at least one more or less valid answer which almost 
convinced me that we should add it, but it's not about security, 
but rather about social engineering.)

> I found this entry in the ml from 2012, is this a possible solution for
> nginx OSS core?
> http://marc.info/?t=131494347400003&r=1&w=2


Maxim Dounin

More information about the nginx mailing list