Major Description
Deprecate the passwordFile field and consolidate all password scenarios to use the password field. We will use the password options that openssl uses (see Pass Phrase Options sections). Going forward, here are three ways to specify a password in an sslProfile
sslProfile {
caCertFile: .....
certFile: .....
# Get the password from the environment variable TLS_SERVER_PASSWORD. Note the env: prefix
password: env:TLS_SERVER_PASSWORD
OR
# Get the password from the absolute file path. Note the file: prefix
password: file:/home/tls/password-file.txt
OR
# Specify the actual password. Note the pass: prefix
password: pass:actual_password
}
(We will not be supporting the openssl options fd: and stdin
While you can still specify the actual password in the password field using the pass: prefix, which casual users might want to do, you are also able to specify the file path or environment variable for more robust security.
This change will be backward compatible which means, you will still be able to specify the actual password in the password field without the pass: prefix. The "literal" prefix will continue to work as well. The passwordFile field will be deprecated and eventually removed when we to a major version.
Attachments
Issue Links
- is duplicated by
-
DISPATCH-1435 Special handling of SSL password text is not documented nor consistent with SASL
-
- Closed
-
- links to