Nginx failing to ask for PEM SSL key password

Francis Daly francis at daoine.org
Wed Nov 18 13:19:43 UTC 2015


On Wed, Nov 18, 2015 at 04:34:20AM -0500, lakarjail wrote:

Hi there,

> It made me wondering why
> "SSLPassPhraseDialog" from Apache was not as well added on Nginx.

I'm a bit unclear on this -- what extra security do you think that
Apache's "SSLPassPhraseDialog" gives you? See below for my rationale.

> Indeed, I am looking for a solution that wouldn't decrease the global
> security of my system. I can not consider leaving the password of a PEM key
> in cleartext like "ssl_password_file" solution proposed by Nginx, nor to
> remove the password of the key cert file for obvious and same reasons. 

So - the file system permissions to block a random person from reading
the un-password-protected key file are unsuitable. Ok.

And the file system permissions to block a random person from running
"cat passwordfile" and seeing "mypassword" are unsuitable. Ok.

But the file system permissions to block a random person from running
"./passwordscript" and seeing "mypassword" are not unsuitable? How does
that work?

("cat passwordscript" or "strings passwordscript" might show the same
thing; but the same user that would need to read passwordfile, would
need to execute passwordscript. Unless I'm missing something.)

> What solution do I have then, solution that would be clean enough in terms
> of security, and to ensure that next nginx updates won't cause problems? 

I think that if you insist on manually typing the password each time
nginx starts, you should make sure to manually start nginx, and be there
to type the password.

If your "service" command does not provide the facility to do that,
use a different (or no) service command.


Or - build your own system which does the equivalent of

  ./passwordscript > passwordfile
  service nginx start
  echo random > passwordfile

at the appropriate times.

I don't see how your system security is enhanced, if you do anything
other than manually type in the password each time it is needed.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list