This posting concerns only Apache and mod_ssl on Win32.
After posting the following messages on the mod_ssl mail list, I did some
more poking around with the debugger. My findings follow:
1) The password prompting originates in routine post_parse_init() in
http_main.c. It would seem to me that the call to "ap_init_modules(pconf,
server_conf);" could be skipped if this is not a child process (-Z
parameter) AND not running in single process mode (-X parameter). This
would mean that mod_ssl would normally not be initialized in the parent
process, and hence would not prompt for a passphrase.
I considered just adding parameters to post_parse_init() conveying the
child/one-process booleans; however, it appears that the routine is also
called from service_init(), and I can't tell what is supposed to happen when
Apache runs as a NT service.
Therefore, I implemented the fix as follows:
a) created routine post_parse_init2(int child) as a copy of post_parse_init
b) #ifdef WIN32
post_parse_init2(child);
#else
post_parse_init();
#endif
c) The code for post_parse_init2 is:
#ifdef WIN32
void post_parse_init2(int child)
{
ap_set_version();
if (child || one_process)
ap_init_modules(pconf, server_conf);
ap_suexec_enabled = init_suexec();
version_locked++;
ap_open_logs(server_conf, plog);
set_group_privs();
}
#endif
2) When a child is created, the code in create_process() does not fill in
si.hStdOutput or si.hStdError. When I modified the code to set these fields
via:
si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
si.hStdError = GetStdHandle(STD_ERROR_HANDLE);
I then saw the prompt string! It appears that it is the stderr handle that
is needed.
3) Finally, ap_init_modules() is also called in subroutine master_main(). I
enclosed the call as follows:
#ifndef WIN32
ap_init_modules(pconf, server_conf);
#endif
With these changes to http_main.c, I was able to start Apache, enter a
single passphrase at the prompt, and then connect via SSL.
I also submitted this as a bug report via the main apache web page.
regards
Kirk Benson
BROKAT
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kirk Benson
Sent: Wednesday, May 10, 2000 8:43 AM
To: [EMAIL PROTECTED]
Subject: RE: password - ask_twice (noch einmal)
Yesterday I downloaded the latest OpenSA Win32 source distribution for
Apache-1.3.12/mod_ssl-2.6.3 and built a debug version. I incorporated the
1-line fix I previously suggested to Ralf (original message below) to see if
the problem was actually fixed. It was not!
However, I did discover the cause of why the passphrase must be entered
twice. The Apache executable creates a single child process, (which
inherits the parent console), and it is the child which is hanging waiting
for entry of the passphrase. This also explains why a single entry does
work when Apache is started with the -X command line parameter.
I'm not yet familiar with the source code, so I can't suggest a fix. I
assume that this is not a problem in UNIX because a forked child gets a copy
of the parent's memory and thus inherits a decrypted key, while in NT
CreateProcess() does not give a memory copy. One idea that comes to mind is
for the parent to put the passphrase into an environment variable; since the
environment is inheritable, the child could obtain the passphrase therefrom.
It is not clear as well why the child process is not able to write a prompt
string before reading, at least making it clear what is needed.
In the meanwhile, I'm just going to go with an unencrypted key 8-P
regards
Kirk
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Kirk Benson
> Sent: Thursday, April 27, 2000 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: Re: password - ask_twice
>
>
> After verifying Jan's suggestion, I was sufficiently intrigued to look at
> the source code, and downloaded the 2.6.3 tarball. Inspection shows that
> line 492 in ssl_engine_pphrase.c is:
>
> if ((i = EVP_read_pw_string(buf, bufsize, prompt, ask_twice)) != 0) {
>
> The variable ask_twice is an input parameter to the containing function:
>
> int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
>
> Which in turn is a callback from open_ssl. Since the second input is
> apparently unnecessary, I'd suggest changing line 492 to be:
>
> if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) {
>
> Comments? Ralf?
>
> cheers
> Kirk
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
