diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/mod_ssl.h mod_ssl-2.3.5-1.3.6/pkg.sslmod/mod_ssl.h --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/mod_ssl.h Wed Jul 14 12:44:59 1999 +++ mod_ssl-2.3.5-1.3.6/pkg.sslmod/mod_ssl.h Wed Jul 14 13:45:48 1999 @@ -400,7 +400,8 @@ typedef enum { SSL_PPTYPE_UNSET = UNSET, SSL_PPTYPE_BUILTIN = 0, - SSL_PPTYPE_FILTER = 1 + SSL_PPTYPE_FILTER = 1, + SSL_PPTYPE_NONE = 2 } ssl_pphrase_t; /* @@ -498,6 +499,7 @@ int nMutexFD; int nMutexSEMID; array_header *aRandSeed; + pool *pCrtPool; ssl_ds_table *tPublicCert; ssl_ds_table *tPrivateKey; struct { @@ -658,7 +660,7 @@ void ssl_scache_shm_status(server_rec *, pool *, void (*)(char *, void *), void *); /* Pass Phrase Support */ -void ssl_pphrase_Handle(server_rec *, pool *); +void ssl_pphrase_Handle(server_rec *, pool *, BOOL); int ssl_pphrase_Handle_CB(char *, int, int); /* Diffie-Hellman Parameter Support */ diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_config.c mod_ssl-2.3.5-1.3.6/pkg.sslmod/ssl_engine_config.c --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_config.c Wed Jul 14 12:44:59 1999 +++ mod_ssl-2.3.5-1.3.6/pkg.sslmod/ssl_engine_config.c Wed Jul 14 13:44:36 1999 @@ -138,8 +138,9 @@ mc->nMutexFD = -1; mc->nMutexSEMID = -1; mc->aRandSeed = ap_make_array(pPool, 4, sizeof(ssl_randseed_t)); - mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); - mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); + mc->pCrtPool = ap_make_sub_pool(pPool); + mc->tPrivateKey = ssl_ds_table_make(mc->pCrtPool, sizeof(ssl_asn1_t)); + mc->tPublicCert = ssl_ds_table_make(mc->pCrtPool, sizeof(ssl_asn1_t)); #ifdef SSL_VENDOR mc->ctx = ap_ctx_new(pPool); @@ -396,6 +397,10 @@ return err; if (strcEQ(arg, "builtin")) { sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; + sc->szPassPhraseDialogPath = NULL; + } + else if (strcEQ(arg, "none")) { + sc->nPassPhraseDialogType = SSL_PPTYPE_NONE; sc->szPassPhraseDialogPath = NULL; } else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) { diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_init.c mod_ssl-2.3.5-1.3.6/pkg.sslmod/ssl_engine_init.c --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_init.c Wed Jul 14 12:44:59 1999 +++ mod_ssl-2.3.5-1.3.6/pkg.sslmod/ssl_engine_init.c Wed Jul 14 12:45:33 1999 @@ -233,11 +233,19 @@ } #endif if (mc->nInitCount == 1) { - ssl_pphrase_Handle(s, p); + ssl_pphrase_Handle(s, p, FALSE); #ifndef WIN32 return; #endif } + +#ifdef WIN32 + if (mc->nInitCount > 1) + ssl_pphrase_Handle(s, p, TRUE); +#else + if (mc->nInitCount > 2) + ssl_pphrase_Handle(s, p, TRUE); +#endif /* * Warn the user that he should use the session cache. diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_pphrase.c mod_ssl-2.3.5-1.3.6/pkg.sslmod/ssl_engine_pphrase.c --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_pphrase.c Wed Jul 14 12:44:59 1999 +++ mod_ssl-2.3.5-1.3.6/pkg.sslmod/ssl_engine_pphrase.c Wed Jul 14 13:49:45 1999 @@ -76,7 +76,7 @@ #define BUILTIN_DIALOG_BACKOFF 2 #define BUILTIN_DIALOG_RETRIES 5 -void ssl_pphrase_Handle(server_rec *s, pool *p) +void ssl_pphrase_Handle(server_rec *s, pool *p, BOOL bGracefulRestart) { SSLModConfigRec *mc = myModConfig(); SSLSrvConfigRec *sc; @@ -104,6 +104,26 @@ char *cp; /* + * Do nothing on graceful restarts if we have SSL_PTYPE_BUILTIN anywhere + */ + if (bGracefulRestart) { + for (pServ = s; pServ != NULL; pServ = pServ->next) { + sc = mySrvConfig(pServ); + if (!sc->bEnabled) + continue; + if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) { + cpVHostID = ssl_util_vhostid(p, pServ); + ssl_log(pServ, SSL_LOG_INFO, + "Init: Skipping certificate & private key reload on all " + "servers because of SSLPassPhraseDialog=builtin on " + "SSL-aware server %s", + cpVHostID); + return 0; + } + } + } + + /* * Start with a fresh pass phrase array */ aPassPhrase = ssl_ds_array_make(p, sizeof(char *)); @@ -111,6 +131,17 @@ nPassPhraseDialog = 0; /* + * Clear the certificate and key hashes if this is a restart + */ + if (bGracefulRestart) { + ssl_ds_table_kill(mc->tPrivateKey); + ssl_ds_table_kill(mc->tPublicCert); + ap_clear_pool(mc->pCrtPool); + mc->tPrivateKey = ssl_ds_table_make(mc->pCrtPool, sizeof(ssl_asn1_t)); + mc->tPublicCert = ssl_ds_table_make(mc->pCrtPool, sizeof(ssl_asn1_t)); + } + + /* * Walk through all configured servers */ for (pServ = s; pServ != NULL; pServ = pServ->next) { @@ -171,10 +202,10 @@ * certificate is actually used to configure mod_ssl's per-server * configuration structures). */ - cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an); + cp = ap_psprintf(mc->pCrtPool, "%s:%s", cpVHostID, an); asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPublicCert, cp); asn1->nData = i2d_X509(pX509Cert, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = ap_palloc(mc->pCrtPool, asn1->nData); ucp = asn1->cpData; i2d_X509(pX509Cert, &ucp); /* 2nd arg increments */ /* @@ -348,10 +379,10 @@ * because the SSL library uses static variables inside a * RSA structure which do not survive DSO reloads!) */ - cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an); + cp = ap_psprintf(mc->pCrtPool, "%s:%s", cpVHostID, an); asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPrivateKey, cp); asn1->nData = i2d_PrivateKey(pPrivateKey, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = ap_palloc(mc->pCrtPool, asn1->nData); ucp = asn1->cpData; i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */ /* @@ -502,6 +533,19 @@ result = ssl_util_readfilter(s, p, cmd); ap_cpystrn(buf, result, bufsize); len = strlen(buf); + } + + /* + * No passphrase dialouge option + */ + else if (sc->nPassPhraseDialogType == SSL_PPTYPE_NONE) { + char *prompt; + int i; + + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Init: Key is encrypted with SSLPassPhraseDialog=none for server %s", + cpVHostID); + ssl_die(); } /*