I say the solution is just to disallow prompting for the pass phrase.
Therefore, the keys have to be unencrypted or a SSLPassPhraseDialouge would
have to be provided. Otherwise, we just write an error out and die. I expect
that not many mod_ssl users actually use the built-in pass phrase dialogue,
because then they can't automatically start their server. I'd much rather have
this limitation than give up on graceful restarts.
- David Harris
Principal Engineer, DRH Internet Services
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of [EMAIL PROTECTED]
Sent: Saturday, July 03, 1999 4:15 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [BugDB] graceful restart and changing virtualhost domain (PR#183)
On Sat, Jul 03, 1999, David Harris wrote:
> I have the same problem on my server. I'm running mod_ssl-2.3.5-1.3.6.
> (Additionally, mod_ssl-2.1.6-1.3.3 appears to have the same problem.)
Whenever
> I give the server a graceful restart request and have added a new certificate
> or key the restart bombs with the "Ops, no RSA or DSA server certificate
> found?!" error message from pkg.sslmod/ssl_engine_init.c function
> ssl_init_GetCertAndKey() about line 550.
Ahhhh.... WAIT! Then it's clear, this cannot work: When you add or remove a
cert from the config, you need a complete stop/start of the server, of course.
Because mod_ssl caches (and has to cache) all certificates and keys on
startup. When you add an additional private key which is encrypted how should
mod_ssl ask you for the pass phrase on restarts (where Apache is already
detached from the terminal!)? You see it? That's why you can't change
certs/keys and just use a restart? But seems like I should add a special error
message for this situation and add an entry to the FAQ...
> [...]
> The solution would be to check for any new certificate and key files to be
read
> on the module initializations caused by graceful restarts. Of course, the
> passphrase prompt would have to be disabled for this read, but that's not
> really a problem.
Oh, this is a problem, because how else should the pass phrase be read?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
