httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl? (was: Re: [PATCH 55593] Add "SSLServerInfoFile" directive)
Date Sun, 17 Nov 2013 14:43:19 GMT
On 13/11/2013 14:06, Kaspar Brand wrote:
> 
> I'm not proposing to drop support for encrypted private keys from 2.4.x
> (yet), to be clear - I guess we need to keep this for quite some while
> for backwards compatibility. I suggest, however, to only support
> unencrypted private keys with the "SSLOpenSSLConfCmd PrivateKey"
> directive (in trunk and when backported to 2.4.x), and possibly remove
> support for encrypted private keys for SSLCertificate[Key]File in trunk.
> I.e., I'd be interested in hearing whether people are in favor of (or
> opposition to):
> 
> - only supporting unencrypted private keys with "SSLOpenSSLConfCmd
>   PrivateKey ..."
> 

Just to clarify that. Do you mean that SSLOpenSSLConfCmd shouldn't work with
encrypted private keys at all (e.g. return an error) or that it is just
documented that they might not work as expected?

The SSL_CONF code (which SSLOpenSSLConfCmd uses) should have support for
encrypted private keys as other applications might want to use it. The SSL_CONF
code wasn't designed exclusively for mod_ssl use: though I have to admit I was
partly thinking about how useful it could be in mod_ssl when I wrote it.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message