Index | Thread | Search

From:
Jan Schreiber <jes@posteo.de>
Subject:
Re: httpd: support encrypted tls server keys
To:
Christian Schulte <cs@schulte.it>, Peter Hessler <phessler@openbsd.org>, tech@openbsd.org
Date:
Tue, 24 Feb 2026 11:32:38 +0000

Download raw body.

Thread 

On 2/21/26 21:38, Christian Schulte wrote:
> Am 21.02.2026 um 14:01 schrieb Stuart Henderson:
>> On 2026/02/20 18:47, Peter Hessler wrote:
>>> I hate _hate_ _HATE_ the bullshit permissions checking that isn't
>>> necessary.
>> I totally agree, especially the checks for group-writable in many
>> parse.y that make no sense at all...
>>
> What drew attention to this was someone wanting to add support for
> cleartext passwords in httpd.conf. It then turned out relayd.conf may
> contain cleartext passwords already, for whatever reason. I strongly
> agree that storing cleartext passwords anywhere if avoidable is a bad
> idea. There has been a lot of discussion about this at cyrus-sasl@,
> where they repeatedly have to explain why there is no way around storing
> cleartext passwords for theire use cases. That relayd.conf may contain
> cleartext passwords already - for whatever reason - made me report that
> bug. Origin of relayd.conf is hoststated.conf introduced by [1] with
> mode 0600. Later renamed to relayd.conf in [2] also with mode 0600.
> Nothing stops a user from creating those files from scratch, rather than
> copying defaults including file permissions and that may lead to
> insecure file permissions so at least nanny the user about, or give a
> fuck about it.
>
> 0x02# ls -lah /etc/relayd.conf
> ls: /etc/relayd.conf: No such file or directory
> 0x02# touch /etc/relayd.conf
> 0x02# ls -lah /etc/relayd.conf
> -rw-r--r--  1 root  wheel     0B Feb 21 21:23 /etc/relayd.conf
> ^^^^^^^^^^
> 0x02# ls -lah /etc/examples/relayd.conf
> -rw-------  1 root  wheel   2.7K Feb 21 07:06 /etc/examples/relayd.conf
> ^^^^^^^^^^
> 0x02# rm /etc/relayd.conf
>
>
> [1]
> <https://github.com/openbsd/src/commit/201b0bc9bbc9ea830726e19ed78b51c15b81e21f>
> [2]
> <https://github.com/openbsd/src/commit/4d9c5f5b4438cf3c709db52ab5dab3e752a22ed2>
>
> Just my 2cents,
> ...
I'm fine with not supporting this feature in httpd. If I'm not mistaken 
nginx also does not support plaintext
passwords in its config. A consensus about warning the user or generally 
ignoring it would be good though.
Right now it is inconsistent and I can't imagine that being the 
preferred situation.