tatsuhiro-t / spdylay

The experimental SPDY protocol version 2, 3 and 3.1 implementation in C
http://tatsuhiro-t.github.io/spdylay/
MIT License
602 stars 103 forks source link

[shrpx] read private key's passwd from a file #46

Closed rgs1 closed 11 years ago

rgs1 commented 12 years ago

This avoids the need to provide the password for your private key interactively.

It can be used via --passwd-key-file or passwd-key-file in the given config file. The first line in the file (without \n) will be treated as the passwd. There isn't any validation and all lines after the first one (if any) are ignored.

The security model behind this is a bit simplistic so I am open to better ideas. Basically your password file should be root:root (400) and you should drop root and run as an unprivileged user.

If the file exists and a line can be read then a callback will be set for the SSL ctxt and it'll feed the passwd when the private key is read (if password is needed).

tatsuhiro-t commented 12 years ago

Great! Thank you! I posted several comments. I think they would improve the patch, what do you think? For security measure, some FTP client (e.g., wget) checks the permission of .netrc file (which contains username/password for FTP sites) is correct or not. Maybe we should do this here? I'm open to this discussion.

rgs1 commented 12 years ago

Updated the branch (I re-wrote history to keep it clean) with the suggested changes. Thanks for the fast review!

tatsuhiro-t commented 11 years ago

Looks good. Merged and pushed. Thank you!