Thanks for the feedback!
I’m not sure extending SSLPassphraseDialog is the best fit here. A
single file with multiple passphrases gets tricky to manage, since
there’s no clear way to know which passphrase belongs to which key. That
could get confusing when certificates/keys are rotated or replaced.
It also makes things awkward for setups where someone might want to use
SSLCertificateKeyPasswordFile for some keys but still enter others
manually. Keeping it per-certificate avoids forcing everything into one
mechanism.
So I think keeping this as a separate directive tied to each certificate
still makes the most sense.
Regards,
Christian
On 12/6/25 3:50 PM, Daniel Ruggeri wrote:
Thanks, Christian!
On 12/1/2025 3:28 AM, Christian Nageby wrote:
Hi all,
This patch introduces a new directive to mod_ssl that allows
administrators to specify a file from which the passphrase for an
encrypted private key will be read at startup.
This provides a simple, non-interactive mechanism for supplying
key passphrases in automated deployments while preserving existing
behavior.
If the configured file is missing, unreadable, or contains an incorrect
passphrase, mod_ssl gracefully falls back to its normal key-loading
mechanism. When the directive is not configured, there is no change
in behavior.
This seems like a perfectly sensible thing to support, but I wonder if
we'd need a new directive? What do you think about adding this as an
option for the existing SSLPassphraseDialog directive? It would serve
to keep the gathering of such passphrases in one place. I would guess
we could use either a raw path (/path/to/file.txt) or a prefix like we
already have (file:/path/to/file.txt).
Rationale:
- Enables automation scenarios where interactive passphrase entry is
not feasible.
- Maintains full backward compatibility: no behavior change unless
the directive is explicitly used.
Verified:
* Correct passphrase in file → httpd starts and loads key normally.
* Missing passphrase file → httpd fails to start.
* Invlid passphrase in file → httpd defaults to prompt for the
passphrase.
* Both encrypted and unencrypted private keys tested.
Example configuration to use a password file:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.pem
SSLCertificateKeyPasswordFile /etc/pki/tls/private/key.pem.pass
Patch attached as mod_ssl.patch
Documentation for the new directive will be submitted separately or
included once the directive name and semantics are agreed on.
Feedback welcome.
Regards,
Christian
--
Daniel Ruggeri
