Michael, On 10/14/20 12:46, Michael Osipov wrote: > Folks, > > I have recently upgrade a cert and left out the last char of the key > password by accident. > >> # /sbin/init.d/tomcat-smartld start >> Starting Apache Tomcat 8.5... >> Using CATALINA_BASE: /var/opt/tomcat-smartld >> Using CATALINA_HOME: /opt/ports/apache-tomcat-8.5.57 >> Using CATALINA_TMPDIR: /var/opt/tomcat-smartld/temp >> Using JRE_HOME: /opt/java8 >> Using CLASSPATH: >> /opt/ports/apache-tomcat-8.5.57/bin/bootstrap.jar:/opt/ports/apache-tomcat-8.5.57/bin/tomcat-juli.jar >> >> Tomcat started. >> Apache Tomcat 8.5 started. >> # Some of your private key files are encrypted for security reasons. >> In order to read them you have to provide the pass phrases. >> Enter password : >> > > I have seen similar with HTTPd in the past. Since the start is async I > have no option to react on that and it will block the entire config. I > looked briefly in the OpenSSL API, but wasn't really able to find a flag > to inhibit the interactive prompt. > > Does someone know whether we can make this better with libtcnative?
What kind of behavior were you hoping for? I'm assuming that some kind of exception would be best for this case (incorrect password). Suppressing the interactive prompt is likely to simply cause the connector to fail to initialize; basically the same thing as throwing an exception in the above case. I searched the Tomcat code and I don't see that sting anywhere, so I suspect it's coming directly from OpenSSL (which is very weird IMHO). mod_ssl has a configurable way to gather this passphrase, presumably to pass it into OpenSSL's read-key function. It would surprise me greatly if an incorrect passphrase would cause the same kind of prompt in httpd. What version of OpenSSL are you using? Have you tried any other versions? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
