From: Doug MacEachern <dougm@apache.org>
Date: Thu, 28 Feb 2002 01:47:26 +0000 (+0000)
Subject: always reusing existing private key for given vhost on restarts if key
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fd7b3335a91c1f2979fe24d105c9b5c0f2fbb1e;p=thirdparty%2Fapache%2Fhttpd.git

always reusing existing private key for given vhost on restarts if key
is encrypted and mtime stamp has not changed.  this prevents getting
prompted twice for passphrase on windows and elsewhere when server is
started with -DNO_DETACH.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@93620 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/ssl_engine_pphrase.c b/ssl_engine_pphrase.c
index a7a7651fe0c..98cdad356e7 100644
--- a/ssl_engine_pphrase.c
+++ b/ssl_engine_pphrase.c
@@ -299,18 +299,17 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                 }
 
                 /*
-                 * isatty() returns false once httpd has detached from the terminal.
                  * if the private key is encrypted and SSLPassPhraseDialog is configured to "builtin"
                  * it isn't possible to prompt for a password.  in this case if we already have a
                  * private key and the file name/mtime hasn't changed, then reuse the existing key.
                  * of course this will not work if the server was started without LoadModule ssl_module
                  * configured, then restarted with it configured.  but we fall through with a chance of
                  * success if the key is not encrypted.  and in the case of fallthrough, pkey_mtime and
-                 * isterm values are used to give a better idea as to what failed.
+                 * isatty() are used to give a better idea as to what failed.
+                 * even if we could prompt for password again, users won't like getting prompted twice
+                 * at startup.
                  */
-                if ((sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) &&
-                    !(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
-                {
+                if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) {
                     char *key_id = apr_psprintf(p, "%s:%s", cpVHostID, "RSA"); /* XXX: check for DSA key too? */
                     ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id);
                     
@@ -380,7 +379,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                  * Ok, anything else now means a fatal error.
                  */
                 if (cpPassPhraseCur == NULL) {
-                    if (nPassPhraseDialogCur && pkey_mtime && !isterm) {
+                    if (nPassPhraseDialogCur && pkey_mtime &&
+                        !(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
+                    {
                         ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                                 "Init: Unable read passphrase "
                                 "[Hint: key introduced or changed before restart?]");