Bug#136052: apache-ssl in woody/stable can't use encrypted keys
Hi Ben,
> I've lost the context here - wasn't this the problem that turned out to
> be some library closing stdin (in which case, even if I stop Apache-SSL
> from dying, you are still screwed, coz there's nowhere to read the
> passphrase from)? Or am I confused?
Maybe I am confused also :-(
Here is the problem:
The apache-ssl package (1.3.26.1+1.48-0woody2) in the current stable
version 3.0 ("woody") of Debian GNU/Linux does not work with passphrase
protected keys; this is reported in the bug tracking system.
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=136052&repeatmerged=yes)
Even if you give the correct passphrase, the server does not start,
and the error log says "routines:DEF_CALLBACK:problems getting password"
As far as I can see, this problem is debian sepcific even though
there doesn't seem to be anything special in the debian version
of apache-ssl
> Debian apache-ssl has everything which is in Debian apache plus the
> SSLpatch; nothing special.
which is puzzling.
By an analysis of the system call trace Christoph pointed out, that
the configuration file is parsed twice when starting apache-ssl.
The first time when the configuration is parsed, the passphrase
is read from the tty and everything seems ok. When parsing the
config file a second time, the process cannot read from the tty
> open("/dev/tty", O_RDONLY) -1 ENXIO
(No such device or address)
and thus cannot access the key data.
Trying to fix the flaw, several questions arise:
Is apache-ssl supposed to read the config file twice?
If so, any idea how to prevent the process from detaching
from the tty? Do we have to type the passphrase twice then?
If apache-ssl should read the config file only once, then
somehow the program flow deviates from the usual path.
Or is it a matter of putting the SSL directives in a
separate config file (srm.conf, httpd.conf or whatever)
that is only parsed once?
Any useful information is appreciated :-)
Cheers, Thomas
Reply to: