Support the ability to decrypt SSL key
stanhu opened this issue · comments
Is your feature request related to a problem? Please describe.
We have customers that are required to encrypt SSL keys and other secrets at rest. Currently key
is a plaintext file.
Other Web servers implement this in a number of ways:
- NGINX supports an
ssl_password_file
(https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/). The file can contain multiple passwords separated by newlines, and NGINX attempts to decrypt the SSL private key with each passphrase in the file. - Apache supports the ability to execute a script via the
SSLPassPhraseDialog
option (https://www.oreilly.com/library/view/apache-the-definitive/0596002033/re177.html). This script prints the password tostdout
.
Describe the solution you'd like
The first solution would suffice, though the second seems more elegant. https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/ demonstrates how you could use a background process to populate a FIFO special file.
If key
is specified, it seems that OpenSSL is passed the file here:
puma/ext/puma_http11/mini_ssl.c
Lines 267 to 269 in 904b47a
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_PrivateKey_file.html says:
The private keys loaded from file can be encrypted. In order to successfully load encrypted keys, a function returning the passphrase must have been supplied, see SSL_CTX_set_default_passwd_cb(3). (Certificate files might be encrypted as well from the technical point of view, it however does not make sense as the data in the certificate is considered public anyway.)
Perhaps we can do this:
- We add a
ssl_key_decrypt_command
parameter. - If this is set, set the callback that executes this script, reads the stdout, and returns the value.