On Thu, Aug 27, 2015 at 04:52:59PM +0200, Axel Beckert wrote: > > Please find attached a patch that makes links work with client > > certificates. > Thanks! I would have expected the patch to be much bigger.
Indeed, just two lines. > I'm though concerned about having obviously unencrypted client-certs + > keys lounging around on my hard disk (even with disk-encryption) which > give access to quite some Debian infrastructure. Good point: I only messed with links' code as far as I was comfortable. In https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html it says: The private keys loaded from file can be encrypted. In order to successfully load encrypted keys, a function returning the passphrase must have been supplied, see SSL_CTX_set_default_passwd_cb. (Certificate files might be encrypted as well from the technical point of view, it however does not make sense as the data in the certificate is considered public anyway.) It seems to be just a matter of adding a callback to the SSL_CTX in the same getSSL function: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_default_passwd_cb.html I imagine links already has code to prompt the user for a password that can be used by such a callback, but I don't know the code well enough to find out. Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
signature.asc
Description: Digital signature
