From: Peter Hessler <phessler@openbsd.org>
Subject: Re: httpd: support encrypted tls server keys
To: Jan Schreiber <jes@posteo.de>
Cc: Christian Schulte <cs@schulte.it>, tech@openbsd.org
Date: Fri, 20 Feb 2026 18:47:49 +0100

On 2026 Feb 20 (Fri) at 15:32:50 +0000 (+0000), Jan Schreiber wrote:
:
:
:On 2/18/26 02:52, Christian Schulte wrote:
:> Am 15.02.2026 um 15:45 schrieb Jan Schreiber:
:> > While there I notices relayd also never calls check_file_secrecy.
:> > So the ca key password will also be visible in the relayd.conf
:> > 
:> > If it's the right way I'll send an additional diff for relayd in another
:> > thread.
:> Maybe a bug [1].
:> 
:> [1] <https://marc.info/?l=openbsd-bugs&m=177138197714945>
:> 
:Looks to me it either was forgotten or abandoned. I think it's a good idea to
:check every config
:for the right permissions by default (by removing the additional integer.
:What do you think? If it's something that is useful I'm happy to extend my
:patchset (or start a new one).
:

I hate _hate_ _HATE_ the bullshit permissions checking that isn't
necessary.

Unreadable to anyone isn't the right thing to do, the right thing is to
not have a plaintext password for your crypto setup.


-- 
If you don't go to other men's funerals they won't go to yours.
		-- Clarence Day