diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/mod_ssl.h mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/mod_ssl.h --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/mod_ssl.h Mon Jul 5 17:54:00 1999 +++ mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/mod_ssl.h Mon Jul 5 20:10:17 1999 @@ -400,7 +400,8 @@ typedef enum { SSL_PPTYPE_UNSET = UNSET, SSL_PPTYPE_BUILTIN = 0, - SSL_PPTYPE_FILTER = 1 + SSL_PPTYPE_FILTER = 1, + SSL_PPTYPE_NONE = 2 } ssl_pphrase_t; /* @@ -658,7 +659,7 @@ void ssl_scache_shm_status(server_rec *, pool *, void (*)(char *, void *), void *); /* Pass Phrase Support */ -void ssl_pphrase_Handle(server_rec *, pool *); +void ssl_pphrase_Handle(server_rec *, pool *, BOOL); int ssl_pphrase_Handle_CB(char *, int, int); /* Diffie-Hellman Parameter Support */ diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_config.c mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/ssl_engine_config.c --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_config.c Mon Jul 5 14:03:02 1999 +++ mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/ssl_engine_config.c Mon Jul 5 19:35:38 1999 @@ -398,6 +398,10 @@ sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; sc->szPassPhraseDialogPath = NULL; } + else if (strcEQ(arg, "none")) { + sc->nPassPhraseDialogType = SSL_PPTYPE_NONE; + sc->szPassPhraseDialogPath = NULL; + } else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) { sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; sc->szPassPhraseDialogPath = ap_server_root_relative(cmd->pool, arg+5); diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_init.c mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/ssl_engine_init.c --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_init.c Mon Jul 5 14:02:29 1999 +++ mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/ssl_engine_init.c Mon Jul 5 17:21:13 1999 @@ -233,11 +233,19 @@ } #endif if (mc->nInitCount == 1) { - ssl_pphrase_Handle(s, p); + ssl_pphrase_Handle(s, p, FALSE); #ifndef WIN32 return; #endif } + +#ifdef WIN32 + if (mc->nInitCount > 1) + ssl_pphrase_Handle(s, p, TRUE); +#else + if (mc->nInitCount > 2) + ssl_pphrase_Handle(s, p, TRUE); +#endif /* * Warn the user that he should use the session cache. diff -r -u3 mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_pphrase.c mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/ssl_engine_pphrase.c --- mod_ssl-2.3.5-1.3.6_orig/pkg.sslmod/ssl_engine_pphrase.c Tue Jun 22 08:20:33 1999 +++ mod_ssl-2.3.5-1.3.6_my/pkg.sslmod/ssl_engine_pphrase.c Mon Jul 5 19:57:50 1999 @@ -76,7 +76,7 @@ #define BUILTIN_DIALOG_BACKOFF 2 #define BUILTIN_DIALOG_RETRIES 5 -void ssl_pphrase_Handle(server_rec *s, pool *p) +void ssl_pphrase_Handle(server_rec *s, pool *p, BOOL bGracefulRestart) { SSLModConfigRec *mc = myModConfig(); SSLSrvConfigRec *sc; @@ -104,6 +104,26 @@ char *cp; /* + * Do nothing on graceful restarts if we have SSL_PTYPE_BUILTIN anywhere + */ + if (bGracefulRestart) { + for (pServ = s; pServ != NULL; pServ = pServ->next) { + sc = mySrvConfig(pServ); + if (!sc->bEnabled) + continue; + if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) { + cpVHostID = ssl_util_vhostid(p, pServ); + ssl_log(pServ, SSL_LOG_INFO, + "Init: Skipping certificate & private key reload on all " + "servers because of SSLPassPhraseDialog=builtin on " + "SSL-aware server %s", + cpVHostID); + return 0; + } + } + } + + /* * Start with a fresh pass phrase array */ aPassPhrase = ssl_ds_array_make(p, sizeof(char *)); @@ -111,6 +131,16 @@ nPassPhraseDialog = 0; /* + * Clear the certificate and key hashes if this is a restart + */ + if (bGracefulRestart) { + ssl_ds_table_kill(mc->tPrivateKey); + ssl_ds_table_kill(mc->tPublicCert); + mc->tPrivateKey = ssl_ds_table_make(mc->pPool, sizeof(ssl_asn1_t)); + mc->tPublicCert = ssl_ds_table_make(mc->pPool, sizeof(ssl_asn1_t)); + } + + /* * Walk through all configured servers */ for (pServ = s; pServ != NULL; pServ = pServ->next) { @@ -502,6 +532,19 @@ result = ssl_util_readfilter(s, p, cmd); ap_cpystrn(buf, result, bufsize); len = strlen(buf); + } + + /* + * No passphrase dialouge option + */ + else if (sc->nPassPhraseDialogType == SSL_PPTYPE_NONE) { + char *prompt; + int i; + + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Init: Key is encrypted with SSLPassPhraseDialog=none for server %s", + cpVHostID); + ssl_die(); } /*