On 13/11/2013 14:06, Kaspar Brand wrote: > > I'm not proposing to drop support for encrypted private keys from 2.4.x > (yet), to be clear - I guess we need to keep this for quite some while > for backwards compatibility. I suggest, however, to only support > unencrypted private keys with the "SSLOpenSSLConfCmd PrivateKey" > directive (in trunk and when backported to 2.4.x), and possibly remove > support for encrypted private keys for SSLCertificate[Key]File in trunk. > I.e., I'd be interested in hearing whether people are in favor of (or > opposition to): > > - only supporting unencrypted private keys with "SSLOpenSSLConfCmd > PrivateKey ..." >
Just to clarify that. Do you mean that SSLOpenSSLConfCmd shouldn't work with encrypted private keys at all (e.g. return an error) or that it is just documented that they might not work as expected? The SSL_CONF code (which SSLOpenSSLConfCmd uses) should have support for encrypted private keys as other applications might want to use it. The SSL_CONF code wasn't designed exclusively for mod_ssl use: though I have to admit I was partly thinking about how useful it could be in mod_ssl when I wrote it. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
