On 04/12/2014 12:37 PM, Kaspar Brand wrote:
[picking this up from the comment in "Re: svn commit: r1585902 - ..."]
On 09.04.2014 21:56, Jeff Trawick wrote:
IMO this needs to be reworked to restore compatibility for 2.x up
through 2.4.7, with the new interface used if some new keyword is
added on the directive. Yeah, some people who reworked their scripts
will have to add that new keyboard, but this will unblock others
(vendors, distros, individuals) from upgrading without surprise.
We can partly restore the argument structure for "exec"-type programs,
but effectively, lifting the limit of 2 (or 3) certs per SSL host means
that there's no longer a reliable way of determining if we are actually
loading an "RSA", "DSA", or "ECC" key when calling the
SSLPassPhraseDialog program.
It would be useful to have the same arguments as before, but if that's
not possible to do in all cases now, I would say just increasing the
arguments count won't help anything.
One option for improving backward compatibility with existing
SSLPassPhraseDialog programs could consist of keeping the two-argument
structure (servername:portnumber and index), and to replace the indexes
0 through 2 with the "RSA", "DSA", and "ECC" strings, respectively, as
illustrated by the attached patch (quickly hacked up PoC).
I will check the patch. I have some patch here too, but it's not ready
yet (found that after some more testing during weekend...).
The primary question is on what arguments existing passphrase handling
programs are specifically relying - i.e. if it's mostly about only
having servername:portnumber in the first argument, or whether the
accuracy of RSA/DSA/ECC is equally important.
I have already asked the original reporter of this incompatibility, but
I have not received the answer yet. I will try to ask him again and will
write an email if I get the response this time.
My guess is that they are just using that second argument in the script
and since the argument is not here, the script is failing now. I don't
think it's used for anything more important than that, but I have no
clue right now.
Anyway, would you merge your documentation patch with httpd-2.4 with the
mention it changed in 2.4.9?
Kaspar
Jan Kaluza
