Skip to content

Support decryption of SSL key #3133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MSP-Greg merged 4 commits into from
Apr 30, 2023
Merged

Support decryption of SSL key #3133

MSP-Greg merged 4 commits into from
Apr 30, 2023

Conversation

@stanhu
Copy link
Contributor

@stanhu stanhu commented Apr 26, 2023
edited
Loading

This pull request makes it possible to store an encrypted SSL key on disk and have Puma decrypt it at runtime by supplying a key_password_command. Supplying a key_password_command will cause Puma to:

  1. Execute the external program.
  2. Read the password from stdout and remove the trailing newline.
  3. Configure the OpenSSL callbacks to use the password.

Other Web servers, such as NGINX and Apache, have a similar feature.
NGINX only allows supplying a password file via the ssl_password
parameter (https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/),
while Apache has a SSLPassPhraseDialog option (https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog) that allows an admin to execute an external program.

Closes #3132

Description

Please describe your pull request. Thank you for contributing! You're the best.

Your checklist for this pull request

  • I have reviewed the guidelines for contributing to this repository.
  • I have added (or updated) appropriate tests if this PR fixes a bug or adds a feature.
  • My pull request is 100 lines added/removed or less so that it can be easily reviewed.
  • If this PR doesn't need tests (docs change), I added [ci skip] to the title of the PR.
  • If this closes any issues, I have added "Closes #issue" to the PR description or my commit messages.
  • I have updated the documentation accordingly.
  • All new and existing tests passed, including Rubocop.

@stanhu stanhu marked this pull request as draft April 26, 2023 19:29
@stanhu stanhu force-pushed the sh-support-openssl-decrypt-key branch 2 times, most recently from f313f4f to 0e32efc Compare April 29, 2023 05:15
@stanhu stanhu marked this pull request as ready for review April 29, 2023 05:15
@stanhu
Support decryption of SSL key
8cf9ce2 
This commit makes it possible to store an encrypted SSL key on disk
and have Puma decrypt it at runtime by supplying a
`key_password_command`. Supplying a `key_password_command` will cause
Puma to:

1. Execute the external program.
2. Read the password from stdout and remove the trailing newline.
2. Configure the OpenSSL callbacks to use the password.

Other Web servers, such as NGINX and Apache, have a similar feature.
NGINX only allows supplying a password file via the `ssl_password`
parameter (https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/),
while Apache has a `SSLPassPhraseDialog` option (https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog)
that allows an admin to execute an external program.

Closes puma#3132
@stanhu stanhu force-pushed the sh-support-openssl-decrypt-key branch from 0e32efc to 8cf9ce2 Compare April 29, 2023 05:21
@stanhu
Exclude Windows from encrypted SSL key tests
80d9c02 
shell scripts can't be executed in Windows, so let's
not bother.
@MSP-Greg
Copy link
Member

MSP-Greg commented Apr 29, 2023

@stanhu

Thank you for the PR. Good idea.

Re the Windows tests, I think they'll run and pass with the changes at MSP-Greg@096b970f01 (or the patch).

@stanhu
Copy link
Contributor Author

stanhu commented Apr 29, 2023

@MSP-Greg Thanks for the quick review and patch! Could you take a look now?

@MSP-Greg MSP-Greg merged commit 0ce4149 into puma:master Apr 30, 2023
@nateberkopec
Copy link
Member

nateberkopec commented May 3, 2023

Great work @stanhu 👍

@stanhu
Copy link
Contributor Author

stanhu commented May 3, 2023

@nateberkopec Sure thing! When is the next Puma release slated to go out?

@nateberkopec
Copy link
Member

nateberkopec commented May 4, 2023

Probably 2 weeks

@dentarg dentarg mentioned this pull request Jun 2, 2023
Closed
maxlazio pushed a commit to gitlabhq/omnibus-gitlab that referenced this pull request Jun 8, 2023
@stanhu
Support Puma key_password_command for SSL key decryption
3511796 
This commit adds support for `puma['ssl_key_password_command']` to
make it possible to store encrypted SSL keys on disk.

This requires Puma v6.3.0 (puma/puma#3133) to
work: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122200.

Relates to https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7799

Changelog: added
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MSP-Greg MSP-Greg MSP-Greg approved these changes

Assignees

No one assigned

Labels

c-ext feature ssl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support the ability to decrypt SSL key

3 participants

@stanhu @MSP-Greg @nateberkopec