Hi Enrico, Enrico Zini wrote: > > I'm though concerned about having obviously unencrypted client-certs + > > keys lounging around on my hard disk (even with disk-encryption) which > > give access to quite some Debian infrastructure. > > Good point: I only messed with links' code as far as I was comfortable.
That was not meant as criticism on your patch or a request for a extended patch. It was rather an expression of my disliking of the idea to make client-cert authentication mandatory for some Debian services. > In https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html > it says: > > The private keys loaded from file can be encrypted. In order to > successfully load encrypted keys, a function returning the passphrase > must have been supplied, see SSL_CTX_set_default_passwd_cb. > (Certificate files might be encrypted as well from the technical point > of view, it however does not make sense as the data in the certificate > is considered public anyway.) > > It seems to be just a matter of adding a callback to the SSL_CTX in the > same getSSL function: > > > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_default_passwd_cb.html > > I imagine links already has code to prompt the user for a password that > can be used by such a callback, but I don't know the code well enough to > find out. Me neither. I'll apply (and test) your patch and pass it and these hints about how to load encrypted keys to upstream. Thanks again for your effort. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
