httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kalu┼ża <jkal...@redhat.com>
Subject Re: svn commit: 1573360 - SSLPassPhraseDialog arguments changed in 2.4.x
Date Mon, 14 Apr 2014 08:47:41 GMT
On 04/12/2014 12:37 PM, Kaspar Brand wrote:
> [picking this up from the comment in "Re: svn commit: r1585902 - ..."]
>
> On 09.04.2014 21:56, Jeff Trawick wrote:
>> IMO this needs to be reworked to restore compatibility for 2.x up
>> through 2.4.7, with the new interface used if some new keyword is
>> added on the directive. Yeah, some people who reworked their scripts
>> will have to add that new keyboard, but this will unblock others
>> (vendors, distros, individuals) from upgrading without surprise.
>
> We can partly restore the argument structure for "exec"-type programs,
> but effectively, lifting the limit of 2 (or 3) certs per SSL host means
> that there's no longer a reliable way of determining if we are actually
> loading an "RSA", "DSA", or "ECC" key when calling the
> SSLPassPhraseDialog program.

It would be useful to have the same arguments as before, but if that's 
not possible to do in all cases now, I would say just increasing the 
arguments count won't help anything.

> One option for improving backward compatibility with existing
> SSLPassPhraseDialog programs could consist of keeping the two-argument
> structure (servername:portnumber and index), and to replace the indexes
> 0 through 2 with the "RSA", "DSA", and "ECC" strings, respectively, as
> illustrated by the attached patch (quickly hacked up PoC).

I will check the patch. I have some patch here too, but it's not ready 
yet (found that after some more testing during weekend...).

> The primary question is on what arguments existing passphrase handling
> programs are specifically relying - i.e. if it's mostly about only
> having servername:portnumber in the first argument, or whether the
> accuracy of RSA/DSA/ECC is equally important.

I have already asked the original reporter of this incompatibility, but 
I have not received the answer yet. I will try to ask him again and will 
write an email if I get the response this time.

My guess is that they are just using that second argument in the script 
and since the argument is not here, the script is failing now. I don't 
think it's used for anything more important than that, but I have no 
clue right now.

Anyway, would you merge your documentation patch with httpd-2.4 with the 
mention it changed in 2.4.9?

> Kaspar
>

Jan Kaluza


Mime
View raw message