Replies: 1 comment 2 replies
-
I'm not really against taking a PR if it is really clean, but my question has always been: since the encryption password is in the Apache config now, why don't you protect the private key file in the same way as the Apache config file since that renders the same security? |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello there! Just started using the module and I noticed pretty quickly that the private keyfile that is configured via OIDCClientTokenEndpointKey doesn't appear to support encrypted private keys. Based on a quick look of the easy_curl/libcurl stuff, it looks like that underlying library should support it as a CURLOPT: https://curl.se/libcurl/c/CURLOPT_KEYPASSWD.html
C is absolutely not my strong suit, but I forked and created a PR into my own repo to play around with this: tzfx#1
Is this something that would be worth including? Or is there some other sneaky way I should be handing in my key that isn't immediately obvious? I'm not super keen on keeping unencrypted private keys hanging out in my apache server.
Beta Was this translation helpful? Give feedback.
All reactions