From: Jan Schreiber Subject: Re: httpd: support encrypted tls server keys To: Peter Hessler Cc: Christian Schulte , tech@openbsd.org Date: Fri, 20 Feb 2026 21:04:28 +0000 On 2/20/26 18:47, Peter Hessler wrote: > On 2026 Feb 20 (Fri) at 15:32:50 +0000 (+0000), Jan Schreiber wrote: > : > : > :On 2/18/26 02:52, Christian Schulte wrote: > :> Am 15.02.2026 um 15:45 schrieb Jan Schreiber: > :> > While there I notices relayd also never calls check_file_secrecy. > :> > So the ca key password will also be visible in the relayd.conf > :> > > :> > If it's the right way I'll send an additional diff for relayd in another > :> > thread. > :> Maybe a bug [1]. > :> > :> [1] > :> > :Looks to me it either was forgotten or abandoned. I think it's a good idea to > :check every config > :for the right permissions by default (by removing the additional integer. > :What do you think? If it's something that is useful I'm happy to extend my > :patchset (or start a new one). > : > > I hate _hate_ _HATE_ the bullshit permissions checking that isn't > necessary. > > Unreadable to anyone isn't the right thing to do, the right thing is to > not have a plaintext password for your crypto setup. This has now become a two part thing. Httpd can certainly stay the way it is (maybe only remove the comment about supporting encrypted TLS keys in the future). Relayd still supports plaintext passwords in its config and does not check the permissions. The flag for permissions checking in parse.y exists but is not used in a consistent way. I do not have a strong opinion on it except that the usage should probably the same in the daemons.