[Net-ssleay-devel] Re: Net::SSLeay and PEM file passwords

[sampo at symlabs.com]

Jamie Cameron writes:
> Hi Sampo,

I am no longer the maintainer of Net::SSLeay. Mike and Florinan
are nowdays in charge and have set up a support mailing list
which I have Cc'd. Please forward further discussion there. 

> I'm the author of Webmin, which is a web-based admin interface written
> in Perl, which uses your Net::SSLeay module for SSL encryption. I was
> recently asked by a user if there is any way to read a PEM file for
> use as an SSL certificate if it is protected by a passphrase, without
> the user having to enter it at startup time.

OpenSSL supports interactive entry of password from console. This
works with Net::SSLeay as well. 

However, most servers will need to boot without interaction. Net:SSLeay
does not support any (easy) way of automatically supplying password.
Supporting such method would be madness anyway: you get equivalent level
security by not encrypting your private key and simply relying on
carefully crafted Unix filesystem permissions to protect it. 

I believe OpenSSL.org FAQ discusses this dilemma and explains how
to remove password protection from the private key, should it have any. 

Cheers,
 --Sampo 

> Technically it must be possible for the openssl libraries to do this
> (since Apache has a directive for specifying the passphrase in httpd.conf),
> but I couldn't see how to make Net::SSLeay perform the same trick.
> I was wondering, could you make any suggestions as to how this could be
> done? 
> 
> I know that storing the cert password in a config file defeats the whole
> purpose of having one security-wise, but I like to keep my users happy :) 
> 
>  - Jamie
__________________________________________________________________
Sym  | Sampo Kellomaki  ______| Identity Architect, Federated SSO
____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript
labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl