On Thu, Apr 27, 2000, Kirk Benson wrote:
> After verifying Jan's suggestion, I was sufficiently intrigued to look at
> the source code, and downloaded the 2.6.3 tarball. Inspection shows that
> line 492 in ssl_engine_pphrase.c is:
>
> if ((i = EVP_read_pw_string(buf, bufsize, prompt, ask_twice)) != 0) {
>
> The variable ask_twice is an input parameter to the containing function:
>
> int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
>
> Which in turn is a callback from open_ssl. Since the second input is
> apparently unnecessary, I'd suggest changing line 492 to be:
>
> if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) {
>
> Comments? Ralf?
I've checked OpenSSL and the variable is actually a read or read-write
indicator. If OpenSSL wants to write something it asks that callback
to verify the entered passphrase. The question is just why to the hell
OpenSSL under Win32 thinks it should write anything for which the
password is required.
OTOH you're right: in mod_ssl we use the pass phrase dialog _only_ for
reading private keys, so we can force a 0/FALSE value here. I've changed
this for mod_ssl 2.6.4 now. Thanks for discovering the details.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
