Yesterday I downloaded the latest OpenSA Win32 source distribution for
Apache-1.3.12/mod_ssl-2.6.3 and built a debug version. I incorporated the
1-line fix I previously suggested to Ralf (original message below) to see if
the problem was actually fixed. It was not!
However, I did discover the cause of why the passphrase must be entered
twice. The Apache executable creates a single child process, (which
inherits the parent console), and it is the child which is hanging waiting
for entry of the passphrase. This also explains why a single entry does
work when Apache is started with the -X command line parameter.
I'm not yet familiar with the source code, so I can't suggest a fix. I
assume that this is not a problem in UNIX because a forked child gets a copy
of the parent's memory and thus inherits a decrypted key, while in NT
CreateProcess() does not give a memory copy. One idea that comes to mind is
for the parent to put the passphrase into an environment variable; since the
environment is inheritable, the child could obtain the passphrase therefrom.
It is not clear as well why the child process is not able to write a prompt
string before reading, at least making it clear what is needed.
In the meanwhile, I'm just going to go with an unencrypted key 8-P
regards
Kirk
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Kirk Benson
> Sent: Thursday, April 27, 2000 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: Re: password - ask_twice
>
>
> After verifying Jan's suggestion, I was sufficiently intrigued to look at
> the source code, and downloaded the 2.6.3 tarball. Inspection shows that
> line 492 in ssl_engine_pphrase.c is:
>
> if ((i = EVP_read_pw_string(buf, bufsize, prompt, ask_twice)) != 0) {
>
> The variable ask_twice is an input parameter to the containing function:
>
> int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
>
> Which in turn is a callback from open_ssl. Since the second input is
> apparently unnecessary, I'd suggest changing line 492 to be:
>
> if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) {
>
> Comments? Ralf?
>
> cheers
> Kirk
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
