- /*
- * Free the X509 structure
- */
- X509_free(pX509Cert);
-
- /*
- * Read in the private key: This is the non-trivial part, because the
- * key is typically encrypted, so a pass phrase dialog has to be used
- * to request it from the user (or it has to be alternatively gathered
- * from a dialog program). The important point here is that ISPs
- * usually have hundrets of virtual servers configured and a lot of
- * them use SSL, so really we have to minimize the pass phrase
- * dialogs.
- *
- * The idea is this: When N virtual hosts are configured and all of
- * them use encrypted private keys with different pass phrases, we
- * have no chance and have to pop up N pass phrase dialogs. But
- * usually the admin is clever enough and uses the same pass phrase
- * for more private key files (typically he even uses one single pass
- * phrase for all). When this is the case we can minimize the dialogs
- * by trying to re-use already known/entered pass phrases.
- */
- if (sc->server->pks->key_files[j] != NULL)
- apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));
-
- /*
- * Try to read the private key file with the help of
- * the callback function which serves the pass
- * phrases to OpenSSL
- */
- myCtxVarSet(mc, 1, pServ);
- myCtxVarSet(mc, 2, p);
- myCtxVarSet(mc, 3, aPassPhrase);
- myCtxVarSet(mc, 4, &nPassPhraseCur);
- myCtxVarSet(mc, 5, &cpPassPhraseCur);
- myCtxVarSet(mc, 6, cpVHostID);
- myCtxVarSet(mc, 7, an);
- myCtxVarSet(mc, 8, &nPassPhraseDialog);
- myCtxVarSet(mc, 9, &nPassPhraseDialogCur);
- myCtxVarSet(mc, 10, &bPassPhraseDialogOnce);
-
- nPassPhraseCur = 0;
- nPassPhraseRetry = 0;
- nPassPhraseDialogCur = 0;
- bPassPhraseDialogOnce = TRUE;
-
- pPrivateKey = NULL;
-
- for (;;) {
- /*
- * Try to read the private key file with the help of
- * the callback function which serves the pass
- * phrases to OpenSSL
- */
- if ((rv = exists_and_readable(szPath, p,
- &pkey_mtime)) != APR_SUCCESS ) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
- "Init: Can't open server private key file "
- "%s",szPath);
- ssl_die();
- }
-
- /*
- * if the private key is encrypted and SSLPassPhraseDialog
- * is configured to "builtin" it isn't possible to prompt for
- * a password after httpd has detached from the tty.
- * in this case if we already have a private key and the
- * file name/mtime hasn't changed, then reuse the existing key.
- * we also reuse existing private keys that were encrypted for
- * exec: and pipe: dialogs to minimize chances to snoop the
- * password. that and pipe: dialogs might prompt the user
- * for password, which on win32 for example could happen 4
- * times at startup. twice for each child and twice within
- * each since apache "restarts itself" on startup.
- * of course this will not work for the builtin dialog if
- * the server was started without LoadModule ssl_module
- * configured, then restarted with it configured.
- * but we fall through with a chance of success if the key
- * is not encrypted or can be handled via exec or pipe dialog.
- * and in the case of fallthrough, pkey_mtime and isatty()
- * are used to give a better idea as to what failed.
- */
- if (pkey_mtime) {
- ssl_asn1_t *asn1 =
- ssl_asn1_table_get(mc->tPrivateKey, key_id);
-
- if (asn1 && (asn1->source_mtime == pkey_mtime)) {
- ap_log_error(APLOG_MARK, APLOG_INFO,
- 0, pServ,
- "%s reusing existing "
- "%s private key on restart",
- cpVHostID, ssl_asn1_keystr(i));
- using_cache = 1;
- break;
- }
- }